Install and use IDex with Smoothwall

This article applies to organisations with an On-Premise setup, and those with a 'Hybrid' setup (both On-Premise Appliance and Cloud).

 

Use ID Indexing System (IDex) to identify already authenticated users in Active Directory domain networks. IDex has three components:

  • The IDex Agent is installed on Active Directory Domain Controllers.
  • An IDex Directory receives user identity information from the IDex Agent and maps it to a database of authenticated users. Smoothwall then uses this to apply your Authentication and Web Filter Policies.
  • An IDex Cluster shares user information between all Smoothwall nodes in a Centrally Managed setup.

We recommend that all customers with a Smoothwall Appliance use IDex as their main authentication method. It’s particularly suited for:

  • Large Centrally Managed or Multi-Tenant setups with independent domains over a wide-area network.
  • Low bandwidth setups.
  • Setups where you have already installed the IDex Agent on your Domain Controllers.

Important

This setup is for customers who have a Smoothwall Appliance, either alone or in a Hybrid setup. See how to use IDex in Cloud only setups.

 

Before you begin

You must turn on auditing of Windows logon events for IDex Agent to monitor domain logon events (Security Event ID 4624) on Domain Controllers and relay them to your Smoothwall.

You can configure these settings on each Domain Controller manually or via a Group Policy:

  1. In Windows Group Policy Management, configure the local audit policy with these settings:
  2. If you are using Advanced Auditing, the following settings also need to be configured:
    • Audit: force audit policy subcategory settings: Enabled
    • Audit Logon: Success
    • Audit Logoff: Success

See Microsoft Windows Server documentation for further help.

Step 1: Install IDex Agent

Go to software.smoothwall.com. Under IDex Agent V2, select Windows x64.

Install on a single server

  1. Upload the installation file to the server and run it.
  2. Progress through the wizard.
  3. For Web filter host, enter the hostname or IP address of your Smoothwall Appliance.
  4. Leave the UNCL Serial, UNCL API Key and Tenants fields blank.
  5. Finish the installation. You don't need to restart the server.

Install on multiple Domain Controllers

  1. Use a GPO to deploy the installation file.
  2. Deploy the IDexAgent.msi file you downloaded to this location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IDexAgent\Parameters
  3. Configure the registry settings:
    • SmoothwallIPAddr: Select String and enter the IP Address of your Smoothwall.
    • Leave the UNCLSerial, UNCLAPIKey and Tenants fields blank.

(Optional) Ignore specific account sign-ins

IDex picks up service accounts on the domain. You can exclude these accounts to prevent issues with authentication and User Group mappings.

Important

You’ll need to add this setting again after updating IDex Agent. Save the list, or use a GPO.

  1. Open the registry editor on the Domain Controller running IDex Agent.
  2. In the Registry Editor, expand
    HKLM\SYSTEM\CurrentControlSet\Services\IDexAgent\Parameters.
  3. Create a new String key called LogonExclusions.
  4. For the Value, enter a comma-separated list, in the format domain\user.
  5. Restart the IDex agent service.
  6. Repeat for each of your IDex installs.

(Optional) Turn on DHCP Polling for IDex Agent

If you have IDex Agent on a Domain Controller that also acts as DHCP server, you can use DHCP Polling. DHCP polling updates Smoothwall with DHCP server activity so filtering continues as users change IP addresses.

  1. Sign in to the Domain Controller with IDex Agent installed.
  2. In the Registry Editor, expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IDexAgent\Parameters.
  3. Set the DWORD 32 Bit Type with the name EnableDHCPPoll to 1.
  4. Set the DWORD 32 Bit Type with the name DHCPPollInterval to 1000.
  5. Restart the IDex Agent.

Step 2: Allow IDex Agent to send information to Smoothwall

Add a Smoothwall access rule

  1. Add a Smoothwall access rule with these settings:
    • Source IP addresses: The IP addresses of your Domain Controllers with the IDex Agent installed.
    • Services: Create a new service for IDex (2948 for Leeds, 2948, 2949 and 26257 for Maiden).
    • Action: Accepted
  2. Move this rule above any Drop and Reject rules.

Add a Web Proxy Authentication policy

Add one Web Proxy Authentication policy for each internal interface your devices use.

  • Method: Core authentication
  • Interface: Select the interface your devices proxy through for web filtering. Ensure your client devices use this interface for their Internet proxy settings.

Step 3: Set up an IDex Directory in Smoothwall

  1. Set up an IDex Directory.
  2. Map your directory groups to User Groups.