Howto
Collax Active Directory
This howto describes the configuration of a Collax server for joining a Windows Active Directory Service (ADS) domain. Furthermore, this howto focuses on how to set up the Active Directory proxy service.
By merely joining the domain, the AD user only gains access to the file share services (FTP, Samba and, subject to restrictions, HTTP(S)) and Web proxy; if the AD proxy is made use of, most services of the Collax server can be used.
Requirements
Collax Business Server Collax Platform Server Collax Security Gateway
Working AD Server with configured domain name service (DNS)
Example Configuration Collax Server FQDN: cbs.internal.collax.com DNS zone: internal.collax.com Local network: 172.17.0.0/24 IP address: 172.17.0.1 Windows AD Server FQDN: w2k8.internal.collax.com DNS zone: internal.collax.com IP address: 172.17.0.45 ADS domain: INTERNAL
Kerberos realm: INTERNAL.COLLAX.COM
Introduction
The first section describes how to configure the settings manually step by step. These settings can also be configured automatically by directly using the "Prepare for ADS" dialog. This is described in the second section "Join Domain". The second section also explains the configuration of the AD proxy.
If you want the Collax server to configure the basic settings automatically instead of configuring everything manually, go directly to section 2 "Join Domain".
1. Configuring the Collax Server
1.1 DNS ConfigurationUnder "Networking DNS General", enter the fully qualified domain name (FQDN) of the system and define the DNS
suffix. Moreover, the DNS server must be activated.
The name resolution of the computers in the network takes place via the Windows DNS server that has already been configured. Here, the Collax server merely needs to be informed to use it as forwarder. For this purpose, create a forward and a reverse zone.
Enter the IP address of your AD Server under "Networking DNS Forward Zones".
1.3 Windows-specific Settings
The configuration of the Windows-specific settings comprises the activation of the network functionality for Windows networks, the assignment of the domain name, and some optional settings.
Perform the activation under "System Usage Policy Authentication PDC/ADS".
Simply activate the service and enter the domain of the domain in the "Basic Settings" tab.
In the "Permissions" tab, select at least one group that contains the network in which the AD Server and the local clients are located.
In the "Options" tab, the items "WINS" and "Domain separator" are important. As the WINS server is normally the AD Server, the Collax server operates as a client in this example.
Normally, "+" should be selected as domain separator. An underscore can cause problems with local groups whose name contains an underscore.
1.4 Kerberos
Configure Kerberos under "System Usage Policy Authentication Kerberos". The Kerberos realm must correspond to
the name of the DNS domain of the AD Server. Enter the AD Server as KDC. If a BDC exists, it can also be specified here. Separate the servers with spaces.
1.5 Switching the User Database
Finally, the user database must be switched from "Local" to "ADS member" under "System Usage Policy Authentication PDC/ADS".
If your AD server is a Windows 2008 Server, the FQDN of the AD Server must be entered under "Active Directory Server".
With the item "Allow users from other domains", you can determine whether users from other domains may also log in. For these users to be able to log in, a relationship of trust must exist between the two domains.
For security reasons, this option should be used with care.
2. Automatic Configuration of the Settings
If the basic settings are to be configured automatically, enter the details of your "AD Server" in the section "ADS Settings" at the top. Then click "Save".
Please note that configuration settings will automatically be overwritten on the basis of the specified details. This affects the settings for Kerberos, DNS, authentication, and Windows support. The settings for networks, network links, and groups will not be modified.
If your AD Server is a Windows 2008 Server, enter the FQDN of the AD Server as "Active Directory Server" under "System
2.1 Join Domain
You can join the domain under "System System Operation Authentication Join Domain". Be sure to activate the
previously configured settings.
To join the domain, use an administrator account of the AD Server that has the required permissions for creating a so-called machine account on the AD Server. Then click "Log on". The successful joining will be confirmed with the status message
2.3 Configuration of the AD Proxy
The AD proxy can only be configured after successfully joining the domain.
Configure the AD proxy settings under "System Usage Policy Authentication PDC/ADS".
To use the AD proxy, you merely need an AD user who has read permissions for the LDAP directory on the AD Server.
Subsequently, activate the configuration. Please note that depending on the number of users, the synchronization with
the AD Server can take some time.
The Collax server now is a member of the Active Directory domain. You can now make AD groups available to the local policy management. The group will subsequently appear in the "Groups" menu.
This dialog is located under "System Usage Policy Policies Importable Groups".
This dialog displays groups that can be used in the user management of an Active Directory. The listed groups can be integrated in the local policies after these have been included in the management by means of the action "Add to Local
Groups". The users of the AD groups will continue to be managed via the Active Directory and are not part of the local
system.
Please note that only groups that also contain users in Active Directory will be listed.
The users and groups are regularly synchronized every minute. Sometimes, however, a change in Active Directory can take several minutes until Windows has also published all changes.
