From the domain, go to the Users folder

5. Right-click the user that requires the AD Login script. The Properties window appears.

6. Click the Profile tab and in the Logon script field type the name of the AD Login script.

7. Launch the Group Policy Management Console (GPMC), then launch the Group Policy Object Editor.

8. Copy the adlogon_user.vbs file that you downloaded in X to this location. You return to the Logon Properties window.

Supported Active Directory Configurations

The Untangle Server's Active Directory integration is designed to address the most common needs of small to medium sized businesses. Although the requirements below are very specific, they are easily met in most small to medium sized business computing environments.

Supported Server OS

AD Server OS Support

Windows Server 2008 Yes*

Windows Small Business Server 2008 Yes*

Windows Small Business Server 2003 Yes Windows Small Business Server 2003, R1 Yes Windows Small Business Server 2003, R2 Yes Windows Server 2003, Standard SP2 Yes Windows Server 2003, Standard R2 Yes

Windows 2000 Server Yes

Windows NT 4.0 Server No

Note: For Windows Server 2008, if you've installed it with the strictest security settings, you must disable the signed LDAP security requirement. For more information, please follow the instructions here but disable the requirement instead. You should then run gpupdate /force on the server to update the group policy in effect.

Supported Client OS

 Windows 2000 Professional (5.0 SP4 Rollup 1 v2) or later

 Windows XP Professional SP2 (5.1.2600 Service Pack 2) or later

 Windows Vista (6.0 Build 6000) or later

RADIUS

The RADIUS connector enables authentication to directory services using the RADIUS protocol. Other applications such as Captive Portal can use the RADIUS connector to authenticate and identify users.

To configure RADIUS:

1. Open the Settings on Directory Connector and open the RADIUS tab 2. Click the 'Enabled' checkbox to enable the RADIUS connector 3. Enter the director server's IP in RADIUS Server IP or Hostname:

4. Enter the port to communicate with the directory server (default: 1812) in Port:

5. Enter the shared secret from the RADIUS Server in Shared Secret:

6. Select the Authentication Method supported by the server. Options are CLEARTEXT, PAP, CHAP

7. Test your setup using the RADIUS test.

8. Click the Save button.

After RADIUS is configure you can configure Captive Portal to use RADIUS authentication to validate usernames.

Directory Connector FAQs

What about shared IP addresses, like with a Terminal Server?

The Directory Connector works by mapping IP addresses to usernames; any IP address sharing will mean the Directory Connector will not be able to tell theses users apart. After some testing, we've seen that a product offering from Elusiva when paired with Captive Portal allows these users to be differentiated and become subject to policies and filtering. This has currently been tested with Directory Connector, Web Filter, Policy Manager and Captive Portal, however the ADLS hasn't yet been tested - we'll update this space with more information as it becomes available.

The ADLS never completes or isn't working. Why?

You'll need to make sure Domain Controller has the following settings:

ComputerConf > Admin Templates > System > Scripts - Run logon scripts synchronously = disabled

- Run startup scripts asynchronously = enabled

UserConf > Admin Templates > System > Scripts - Run logon scripts synchronously = disabled

One user was still having issues; he solved it by running the script as a program at login. You may want to try this if the above isn't working:

User Configuration > Policies > Administrative Templates > System > Logon > Run These Programs at System Logon

I only see 1000 usernames, but I have more users. Why?

Untangle can read more than 1000 users from AD, but AD must be configured to send more than 1000 users. Run these commands from the command prompt on the AD server to do enable AD to send up to 5000 users:

ntdsutil.exe LDAP policies Connections

Connect to server addomainname.local Quit

Set MaxPageSize to 5000 Commit Changes

Quit Quit

I have followed all the steps and to best of my knowledge, installed it correctly.

How come the logon script does not work?

One way to check to see if your logon script is working or not is to check the status page to view the current Username Map. If you are seeing no entries after running the script manually or via the logon, if Untangle is in bridge mode verify that your interfaces are not backwards. You can also edit the script and make sure the internal IP of Untangle is listed.

Does the GPMC (Group Policy Management Console) work with 64bit OS?

Please check out this link: http://mcpmag.com/articles/2009/10/13/gpmc-64-win-2008.aspx

Why are my Security Groups not showing up?

Security Groups will not be displayed when using the Active Directory Users button in the settings, but they will be displayed when selecting users in the Policy Manager.

Only Security Groups will be shown, not OUs.

I'm authenticating Captive Portal users against Active Directory, but no names show up in the Username Map. Why?

Captive Portal must go into the rack after Directory Connector to properly work. Please note this refers to the order in which they are installed into the rack, not the order they appear in the rack. If you're seeing this issue, simply remove Captive Portal to the rack, then add it back into the rack and reconfigure it. The next time a user logs in through it, they should correctly populate the Username Map.

Attack Blocker

The Attack Blocker protects your network in a few ways:

 Sanitizes all packets the Untangle Server receives. This packet-cleaning is a built-in function and has no administrative settings.

 Protects against lower-level networking attacks.

 Protects against Denial of Service (DOS) attacks.

Settings

This section reviews the different settings and configuration options available for Attack Blocker.

Status

The Status tab simply tells you if Attack Blocker is active - there are no settings to configure.

Exceptions

Use the Exception list to identify a virtual computer (IP Address) that represents more than one physical computer. As discussed in How does it work?, Attack Blocker tracks the relative activity of computers on its network. If an IP address represents more than one physical computer, as is the case if you have a router performing NAT behind an Untangle Server that's a bridge, then Attack Blocker must know this IP address;

otherwise, Attack Blocker considers that network to be an unusually active single computer and rejects that network's traffic.

To add a new entry to the Exception list: