User Directory

From UntangleWiki

Jump to: navigation, search

Untangle Server User's Guide

Please Note: Most of the features discussed in this User Guide are available in the Open Source version of the Untangle Server software; however, some features are only available on a subscription basis. For a current listing of features and pricing, have a look at the Untangle Price List.


Contents

[edit]

About User Access and User Authentication

The Untangle Server uses two types of user directories for two main purposes:

  • Local LDAP Directory: A user directory stored on the Untangle Server. It can store the login, name, email, and password information on an unlimited number of users.
  • Active Directory (AD) Server: A user directory that uses Microsoft's implementation of LDAP directory services for use in Windows environments.

These two directory types are used by the Untangle Server in the following ways. You might decide to use one method or, if you have an AD Server, you might use both methods. If your company hires temporary employees or contractors, and you do not want to update the AD Server with the temporary users, you can add the temporary employees to the Local LDAP Directory, and permanent employees to the AD Server.

Authentication Method Start Here
Use LDAP for authentication with the Untangle Server's Remote Access Portal (RAP). Enabling LDAP Authentication for Remote Access Portal
Use Active Directory for authentication with RAP. Enabling Active Directory Authentication for Remote Access Portal
Use Active Directory for authentication with reporting and policy enforcement. For example, if you want to report on user activity by login ID or use virtual racks for specific login IDs, you could use Active Directory to achieve this goal. Enabling Active Directory Authentication for Reports and Policies

When a user attempts access with Remote Access Portal, the Untangle Server attempts authentication using the Active Directory Server, if specified;

  • If the user does not exist, the Untangle Server attempts authentication using the Local LDAP Directory.
  • If the user exists in the AD Server, but the password is incorrect, the User Directory will not attempt a lookup in the Local LDAP Directory.
  • If no AD Server is specified, the Untangle Server uses the Local LDAP Directory.

For more information about Active Directory, go to Microsoft's Active Directory portal.

Top

[edit]

About Active Directory Login Script

If you want to enable Active Directory authentication for reports and policies, the Untangle Server uses an Active Directory Login Script (ADLS) to accomplish this goal. You do not need ADLS to enable Active Directory authentication for remote access portal.

The ADLS is a program installed on your network clients using a group policy. Once installed on a client, the script starts each time the user logs on to the network and immediately notifies the Untangle Server that the user is on the network, and the Untangle remembers this IP address. Any activity for that IP address is automatically mapped to the user's username. Now, you're probably wondering how this can possibly work in dynamic DHCP environment. Let me explain.

  • If the user receives a different dynamic IP address because the user changed its connection from a wired network to wireless network, the script notifies Untangle after five minutes. This script runs every 5 minutes.
  • If Untangle doesn't hear from this script after 30 minutes, the Untangle Server automatically clears the most recent IP address record for that user.
  • If the user logs back in, the script runs and updates the Untangle Server with this new information.
  • If for some reason the script isn't responding and the user still has the same dynamic IP address, there is no chance that Untangle will associate that IP address with some other user because the client reserved the IP address as is the case with networking.
  • If the user logged off the network, then logs back in, the script notifies the Untangle Server, and the Untangle Server updates its IP address record for that user.
  • Note that because the Active Directory Connector works by mapping Active Directory user names to IP addresses, any IP address sharing among users will mean that they cannot be distinguished from each other. For example, some Terminal Server implementations use a shared IP address for all users logged into the Terminal Server. The Active Directory Connector will not be able to tell these users apart for any activity that takes place through the Terminal Server.
[edit]

Supported Active Directory Configurations

The Untangle Server's Active Directory integration is designed to address the most common needs of small to medium sized businesses. Although the requirements below are very specific, they are easily met in most small to medium sized business computing environments.

[edit]

Supported Server OS

AD Server OS Support
Windows Small Business Server 2003 Yes
Windows Small Business Server 2003, R1 Yes
Windows Small Business Server 2003, R2 Yes
Windows Server 2003, Standard SP2 Yes
Windows Server 2003, Standard R2 Yes
Windows 2000 Server Yes
Windows NT 4.0 Server No
[edit]

Supported Client OS

  • Windows 2000 Professional (5.0 SP4 Rollup 1 v2) or later
  • Windows XP Professional SP2 (5.1.2600 Service Pack 2) or later
  • Windows Vista (6.0 Build 6000) or later

Top

[edit]

Supporting Over 1,000 AD Users

After 5.2.1 Untangle can now read more than 1000 users from AD, but AD must be configured to send more than 1000 users. Run these commands from the command prompt on the AD server to do enable AD to send up to 5000 users: 

ntdsutil.exe
LDAP policies
Connections
Connect to server addomainname.local
Quit
Set MaxPageSize to 5000
Commit Changes
Quit
Quit


Top

[edit]

Preparing for Active Directory Integration

To prepare for Active Directory integration:

  1. Ensure that your Active Directory users are in one domain. Users can be in multiple Active Directory Organizational Units (OUs), but must be under one domain. Multiple domains are not supported at this time.
  2. If you are not using the Untangle Server as your DNS server, ensure that your Untangle Server has a static WAN IP address from your Internet Service Provider.
[edit]

Enabling LDAP Authentication for Remote Access Portal

To add a user to the Local LDAP Directory:

  1. From the Navigation Pane, click the Config tab > User Directory. The User Directory Config window launches.
  2. From the Local Directory tab, click the green plus (add) button to the left of the table.
  3. In the new entry, provide the user's account information, and click the Save Settings button.
Figure, Adding LDAP Users
Figure, Adding LDAP Users

Top

[edit]

Enabling Active Directory Authentication for Remote Access Portal

The Untangle Server requires access to your Active Directory Server (ADS) in order for RAP users to authenticate using the Untangle Server's Active Directory Integration. For more information about Active Directory, go to Microsoft's Active Directory portal.

Task Go to
1. Ensure that your platform is supported. Supported Active Directory Configurations
2. Prepare your configuration. Preparing for Active Directory Integration
3. Provide the Untangle Server access to your Active Directory server. Providing Untangle Server Access To Your Active Directory Server
[edit]

Provide Untangle Server Access To Your Active Directory Server

To provide the Untangle Server access to your Active Directory Server:

Before You Begin:

  1. Log in to the Active Directory server, then log on remotely to the Untangle Server
  2. Determine Active Directory's default port for TCP traffic. The Active Directory server and Untangle must be able to communicate. By Default, Active Directory communicates on port 389, so Untangle is configured by default to communicate with Active Directory on port 389.
    • If Active Directory's default port is 389, open port 389.
    • If port 389 is being used by another server, change and open the Active Directory's default port, then proceed to the next step to access the Untangle Server and change the default port on the Untangle Server.
  3. Log in to Untangle and, from the Navigation pane, choose Config > User Directory. The User Directory Config window launches.
  4. Click the Remote Active Directory (AD) Server tab.
  5. Select the Enabled radio button.
  6. Provide the AD Server IP in the Host field.
  7. Specify the port on which the Untangle communicates with your Active Directory server. You identified this port in Step 1.
  8. Provide the Active Directory domain name and the username and password for an administrator account. Authentication login requires administrator privileges. The Untangle Server traverses the entire domain to locate the account that you specify, so the account can reside in any folder, and you don't need to specify which folder. The Untangle Server automatically finds the account that you specify.
  9. Click the Active Directory Test button. You will be asked to save your Settings. Click Continue.
    • If you receive a Success! message, you have successfully enabled access to the Active Directory Server.
    • If you receive a Failure! message, the Active directory test failed.
  10. Add your users to RAP. If Active Directory has been correctly configured, you will be presented with all the users Untangle can see from Active Directory.
  11. Test Remote Access Portal login to make sure the account can login by using a Web browser and going to the Untangle Server (IP).

    12. Next Step: If you intend to use Active Directory for reporting or custom policies, do so now. Go to Enabling Active Directory Authentication for Reports and Policies.

    Top

    [edit]

    Enabling Active Directory Authentication for Reports and Policies

    You can configure your Untangle Server to use Active Directory to:

    • Generate reports by login ID for User Activity Summary, Web Filter, Protocol Control and Spyware Blocker instead of IP address. It's a lot easier to read Untangle reports if the activity corresponds to a username. IP addresses for clients are usually dynamic, and it's impossible to remember a user's IP address, even when your users have static IP address.
    • Use login ID to enforce Virtual Rack policies using Policy Manager instead of IP addresses.

    To implement this functionality, you'll use an Active Directory Login Script (ADSL). To learn how this script works, go to About Active Directory Login Script. If you don't care about the "nitty-gritty", let's move on. To enable Active Directory authentication for reports and policies, perform the following sequence of tasks:

    Task Go to
    1. Ensure that your platform is supported. Supported Active Directory Configurations
    2. Prepare your configuration. Preparing for Active Directory Integration
    3. Configure your Untangle Server for Active Directory Server. Configuring Your Untangle Server for Active Directory
    4. Download the Active Directory Login Script. Downloading Active Directory Login Script
    5. Install and enable the Active Directory Login Script. Installing Active Directory Login Script
    6. Verify that Active Directory authentication is working properly. Testing Active Directory Authentication for Policies

    Top


    [edit]

    Configure Your Untangle Server for Active Directory

    You must enable Untangle access to the Active Directory Server. Just as when you configure Active Directory for Remote Access Portal, you must enable access to the Active Directory Server from the Untangle Server. If you have already done this, you can proceed to Download Active Directory Login Script.

    To enable the Untangle Server access to Active Directory:

    1. Log on to the Active Directory server, then log on remotely to the Untangle Server.
    2. Determine Active Directory's default port for TCP traffic. The Active Directory server and Untangle must be able to communicate. By Default, Active Directory communicates on port 389, so Untangle is configured by default to communicate with Active Directory on port 389.
      • If Active Directory's default port is 389, open port 389.
      • If port 389 is being used by another server, change and open the Active Directory's default port, then proceed to the next step to access the Untangle Server and change the default port on the Untangle Server.
    3. Log in to Untangle and, from the Navigation pane, choose Config > User Directory. The User Directory Config window launches.
    4. Click the Remote Active Directory (AD) Server tab.
    5. Select the Enabled radio button, the specify the following:
      • AD Server IP or Host name. The IP address of the Active Directory Server.
      • Port. The port on which the Untangle communicates with your Active Directory server. You identified this port in Step 1.
      • Authentication Login and Authentication Password. The username and password for an administrator account. Authentication login requires administrator privileges. The Untangle Server traverses the entire domain to locate the account that you specify, so the account can reside in any folder, and you don't need to specify which folder. The Untangle Server automatically finds the account that you specify.
      • Active Directory Domain. The ADS domain name.
        • Figure, Multiple AD OUs
        Figure, Multiple AD OUs
      • (Optional) Active Directory Organization. The Active Directory organization unit (OU) that contains the users.
        • If you want the Untangle Server to find all your users, do not type any value in the Active Directory Organizational field.
        • If, for some reason, you want to specify the OU and your users reside in more than one location, specify the highest folder for the OU. To include only the users under SBSUsers OU:
        ou=SBSUsers
    6. Click the Active Directory Test button. The Untangle Server asks you to save your settings. Click Continue.
      • If you receive a Success! message, you have successfully enabled access to the Active Directory Server.
      • If you receive a Failure! message, the Active directory test failed.
    7. Click the Active Directory Users button. The Untangle Server outputs a list of users in the text box. If the list does not include users that expect:
      • Verify that you have the correct domain.
      • Verify that the you have the correct OU, if you specified an OU.

    Next Step: Download Active Directory Login Script.

    Top

    [edit]

    Download Active Directory Login Script

    This procedure assumes that you are logged on to the Active Directory Server and are remotely logged on to the Untangle Server.

    1. From the User Directory Config window, click on the AD Lookup Script button. The Active Directory Login Script download page launches.
    2. Click on the download link. The Active Directory login script now resides on your AD Server. Now you need to install the script to the correct location. The file name is adlogon_user.vbs.

    Next Step: Install Active Directory Login Script.

    Top

    [edit]

    Install Active Directory Login Script

    All network clients need to access Active Directory Login Script (ADLS), but you don't need to install the ADLS script on every network client. Simply install the ADLS script on the Active Directory Server, then create a group policy that forces users to execute this script each time they log on to the network. This way the user can't accidentally delete the script and its easier to update the script if it changes. There are two ways to install the AD login script:

    To apply AD login script for entire domain:

    Before You Begin: Download the Active Directory login script.

    1. Download Group Policy Management tool, which is installed by default in R2.
    2. Log on to the domain controller (Active Directory Server), then launch the Group Policy Management tool by doing one of the following:
      • Start > Program files > Administrative Tools > Group Policy Management.
      Figure, Launch Group Policy Management Tool
      Figure, Launch Group Policy Management Tool
      • From a command line prompt, run gpmc.msc.
    3. Create the group policy:
      1. From Group Policy Management, right-click on the domain and select Create and Link a GPO here. The New GPO dialogue box appears.
      2. Specify a name for the group policy. Consider Untangle as part of the group policy name. The new group policy appears in the list of group policies.
        3. Figure, Create Group Policy
        Figure, Create Group Policy
    4. Add the AD Lookup Script to the policy:
      1. Right-click on the group policy that you just created, and click Edit.
        2. Figure, Launch Edit Window
        Figure, Launch Edit Window
      2. Go to User Configuration > Windows Settings > Scripts (Logon/Logoff). The Scripts (Logon/Logoff) window appears in the right frame.
      3. Click on the Logon icon. The Logon Properties windows appears.
      4. Click the Show Files button. A Windows Explore window launches.
      5. Copy the adlogon_user.vbs file that you downloaded in Download Active Directory Login Script to this location.
      6. Click the Add button, browse for the script, then click OK.
        Figure, Add AD Script To Policy
        Figure, Add AD Script To Policy
    5. Apply users to the group policy:
      1. In the Logon Properties window, click on the Add button, type a descriptive script name, then click OK.
      2. In the Select User, Computer or Group window, select the OU or Group to which you want to apply this GPO.
        3. Figure, Add Users To Policy
        Figure, Add Users To Policy
    6. From a command line prompt, activate the group policy that you just created.
      7.  gpupdate /force

    To apply AD lookup script for specific users:

    1. Log on to the domain controller (Active Directory Server), then save the adlogon_user.vbs file to \\localhost\\NETLOGIN.
    2. Using an editor, create a local.bat file that has the following lines:
      3.  @ echo off
 \\ADServerIPAddress\netlogon\adlogon_user.vbs
    3. Save the local.bat file to \\localhost\\NETLOGON.
    4. From the domain, go to the Users folder.
    5. Right-click to user that requires the AD Login script. The Properties window appears.
    6. Click the Profile tab and, in the Logon script field, type the name of the AD Login script.
    7. Launch the Group Policy Management Console (GPMC), then launch the Group Policy Object Editor.
    8. Copy the adlogon_user.vbs file that you downloaded in X to this location. You return to the Logon Properties window.

    Next Step: Test Active Directory Authentication for Policies.

    Top

    [edit]

    Test Active Directory Authentication for Policies

    This section assumes that you understand virtual racks and how to create and configure virtual racks and custom policies.

    To test Active Directory authentication for policies:

    1. From your Active Directory Server, log on remotely to the Untangle Server.
    2. Do the following:
      1. Create a new virtual rack and install Web Content Control.
      2. Configure a custom policy to block all TCP traffic, and it to the virtual rack that you just created.
      3. Add add an Active Directory user to that policy.
    3. From a network client, log in as one of the AD user that you added to the policy.
    4. Launch a browser, and go to http://myspace.com. Note: The first time your request is made, the request might not go through if the user had the TCP process running prior to you configuring the custom policy. However, the custom policy will apply on all subsequent access attempts.
    5. Once more, go to http://myspace.com. If your AD integration works, the Untangle Server prevents you from visiting that site.

      6. Top

      [edit]

      Related Topics

Retrieved from "http://wiki.untangle.com/index.php/User_Directory"
Personal tools