How to enable Active Directory Sync (LDAP Discovery)

Situation – You want to sync OnPrem Active Directory accounts to Spambrella/Proofpoint.
Solution – Enable Active Directory Sync according to instructions below, and additional information such as:

  • Configuring Active Directory sync
  • Manually performing Active Directory sync

The preferred method of user synchronization is via LDAP Discovery using Spambrella Active Directory connector module. This allows the Platform to import:

  • Active users (including both primary email address and user aliases)
  • Distribution lists
  • Security groups (both standard and mail-enabled)
  • Public folders

Enable Active Directory Sync

If you have Active Directory located on your premises, you can use the Active Directory Sync option to add and automatically sync user accounts and groups between environments.


Before you begin, you will need the following:

  1. An inbound connection that allows  IP range to connect to your domain controller.
  2. A user account with read permissions to Active Directory.
  3. A user account with administrator privileges.
  4. The Base DN (Distinguished Name).
    • The Base DN is the starting point for directory server searches
    • For example: DC=mycompany,DC=com, the Connector starts from this DN to create the list of users and groups to sync


The standard protocol for reading data to Active Directory is LDAP. LDAP traffic is unsecured by default. To make LDAP traffic secure, you can use the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocols. This combination is referred to as LDAP over SSL — or LDAPS.

To set up your domain controller to accept LDAP over SSL, please refer to the following Microsoft article: How to enable LDAP over SSL

Configure Active Directory Sync in Spambrella/Proofpoint

  1. Log in to the user interface
  2. Navigate to Administration > User Management > Import & Sync > Active Directory Sync.
  3. From the Default New User Role dropdown, select the option to use for user accounts added.
    1. Silent User – A user account with a silent user role will receive the quarantine digest email but will not have login rights to the interface.
    2. End-User – A user account with an end-user role Will receive the quarantine digest email and will have login rights to the interface.
  4. For Active Directory URL, specify the IP address or hostname of your Active Directory that Spambrella will connect to.
  5. Specify the Username and Password of the account.
  6. From the Port dropdown, select the desired connection port.
    • LDAP (389)
    • LDAP over SSL (636)
  7. Enter the Base DN that Spambrella should use to connect to your Active Directory.

    For example, DC=mycompany,DC=local The Active Directory configuration is stored in the customer creation process and is executed by the administrator once the customer has been created. Active Directory sync requires the customer to allow Spambrella to access the environment over Port 389. Connections are over TLS.

  8. Under What To Sync, enable the options you would like the service to sync.
  9. For How To Sync, enable the desired options.
    1. Add Create new user accounts and groups.
    2. Sync Updated Accounts Update existing user accounts and groups.
    3. Delete Removed Accounts Remove accounts that are no longer found in Active Directory.
  10. For When To Sync, select the desired frequency from the Sync frequency dropdown.

Manually Perform Active Directory Sync 

If you checked a time-frequency to sync in the Active Directory settings, sync is automatically performed. Otherwise, you need to force a sync.

  1. Navigate to Administration > User Mangement > Import & Sync > Active Directory Sync.
  2. Click Search Now.
  3. Review the search results.
  4. Click Sync Active Directory.