AD Connector Installation and Configuration

Necessary Pages

The information from these pages and URLs will be referenced in the steps below to complete AD Connector Installation and Configuration.

*In the links above, "portal.myweblogon.com" can be replaced with the IP address of the SafeConnect appliance or the custom hostname of the appliance, if applicable.

Troubleshooting

For troubleshooting related to AD Connector installation and configuration, see AD Connector Troubleshooting.

AD Connector Prerequisites

The following prerequisites will need to be completed on all domain controllers used by domain member machines being managed by SafeConnect.

Configure Individual Domain Controllers to Audit Logon Events

On all Windows 2000+ domain controllers, open Local Security Policy under Administrative Tools.

images/download/attachments/6076274/image2018-5-14_14-38-37.png
Start Menu

Drill down to "Local Policy > Audit Policies".

Right click Audit Logon Events and select Properties.

images/download/attachments/6076274/image2018-5-14_14-38-50.png
Local Security Policy

Configure auditing of successful events as shown below. If the check boxes are grayed out, the active directory group policy that is being applied will need to be modified.

images/download/attachments/6076274/image2018-5-14_14-39-8.png
Audit Logon Events Properties

Configure All Domain Controllers to Audit Logon Events

Access the Group Policy Management Console from Administrative Tools. For Windows 2000/2003 it can be downloaded or accessed from Group Policies from Active Directory Users and Computers.

images/download/attachments/6076274/image2018-5-14_14-39-48.png
Start menu

Right Click the Default Domain Controller Policy and select edit.

images/download/attachments/6076274/image2018-5-14_14-40-12.png
Group Policy Management

Drill down to "Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy".

Right click Audit Logon Events and select Properties.

images/download/attachments/6076274/image2018-5-14_14-40-38.png
Group Policy Management Editor

Configure auditing of successful events as shown below.

images/download/attachments/6076274/image2018-5-14_14-40-46.png
Audit Logon Events Properties

Installing the Impulse Windows Services

The AD Connector service should be installed on all domain controllers used by domain member machines that are managed by SafeConnect. The installer installs and starts a service on each domain controller. No reboot of the server is required. If a mistake is made with one of the parameters, or if something changes at a later date, re-running the installer is completely safe.

Download the Installer to each domain controller

The Windows services installer can be downloaded from:

https://portal.myweblogon.com:8443/downloads/Tools/ImpulseServicesSetup.exe

If downloading from a network segment that is not managed by SafeConnect, the internal IP address if the appliance (Manager node in a cluster) should be used in place of portal.myweblogon.com.

Launching the Installer

Once the Installer is downloaded, double-click to run. Choose “Next” on the first screen.

images/download/attachments/6076274/image2018-5-14_14-43-53.png
Welcome to the Impulse Services Installer Setup Wizard

Select the Services to install and click “Finish”. This will launch the next portion of the install. Note that the DHCPSyslog Service can be downloaded with the AD Connector or the AD Connector can be downloaded on its own by checking/unchecking the corresponding boxes.

images/download/attachments/6076274/image2018-5-14_14-44-0.png
Impulse Services Installer: Completing the Impulse Services Installer Setup Wizard

If pre-requisites are not completed, one of the following warning messages will be displayed and the installer will abort. If the following message is displayed, please review the pre-requisite section of this document.

images/download/attachments/6076274/image2018-5-14_14-44-8.png
Active Directory Not Installed

Completing the AD Connector Install

Click “Next” on the AD Connector portion of the installer.

images/download/attachments/6076274/image2018-5-14_14-44-30.png
Welcome to the AD Connector Setup Wizard

Under Policy Manager IP Address, enter the internal IP address of the SafeConnect appliance. In a cluster, this will be the Manager node. The username and password should be a user with API read/write access. A user with API access should be created in the SafeConnect configuration page https://portal.myweblogon.com:8443/manage Click “Next” when everything is entered.

images/download/attachments/6076274/image2018-5-14_14-44-43.png
AD Connector Setup: Configuration Information

Click “Next” to install in the default location.

images/download/attachments/6076274/image2018-5-14_14-44-49.png
AD Connector Setup: Select Destination Location

Review the parameters and click “Install” when ready.

images/download/attachments/6076274/image2018-5-14_14-44-55.png
AD Connector Setup: Ready to Install

Click “Finish” to complete the installer.

images/download/attachments/6076274/image2018-5-14_14-45-2.png
AD Connector Setup: Completing the AD Connector Setup Wizard

Firewall (Version 6.5.16 and Later)

To permit the AD Connector to talk to the SafeConnect appliance:

  1. Navigate to the Firewall UI from the Active Director Single Sign-On page by clicking "AD Connector Firewall Settings". Alternatively, navigate to https://portal.myweblogon.com:8443/manage/#/configuration/firewall:8443/manage/#/configuration/firewall . “ portal.myweblogon.com ” can be replaced with the IP address of the SafeConnect appliance or the custom hostname of the appliance, if applicable.

  2. Add the IP of each AD Server you have installed the AD Connector on to the list of approved source IPs on the AD Connector Access tab.

To learn more, please see the documentation related to SafeConnect Firewall settings.

Policy Group Creation Using an AD device attribute

Setting up the device attribute qualifier for the domain attribute

Navigate to the Policy Manager: https://portal.myweblogon.com:8443/manage/#/policy. If accessing the appliance from a network segment that is not managed by SafeConnect, the inside IP address of the appliance should be used in place of " portal.myweblogon.com ". In a cluster, this will be the manager node.
Once the Management Console is open, navigate to "Policy Manager > Qualifiers Menu > Device Attributes". Click the “New” button on the bottom right and enter a name. Since the device attribute will be coming from Active Directory, choose “ActiveDirectory” as the Device Attribute Source. “Domain” is the only option for the Device attribute name. The last step is the enter the value under “Device Attribute Value”. SafeConnect will only use the values that have been configured. When finished, click “Save”.

images/download/attachments/6076274/image2018-10-30_11-13-57.png

The qualifier is now ready to be added to a qualifier set and subsequently added to a qualifier container followed by a Policy Group.