Skip to main content

Set up IDex for Smoothwall On-Premise Appliance

Updated

This article applies only to On-Premise Appliance, not to our Cloud products.

Use ID Indexing (IDex) to identify already authenticated users in Active Directory domain networks. IDex has three components:

  • The IDex Agent is installed on Active Directory Domain Controllers.
  • An IDex Directory receives user identity information from the IDex Agent and maps it to a database of authenticated users. Smoothwall then uses this to apply your Authentication and Web Filter Policies.
  • An IDex Cluster shares user information between all Smoothwall nodes in a Centrally Managed setup.

We recommend that all customers with a Smoothwall Appliance use IDex as their main authentication method. It’s particularly suited for:

  • Large Centrally Managed or Multi-Tenant setups with independent domains over a wide-area network.
  • Low bandwidth setups.
  • Setups where you have already installed the IDex Agent on your Domain Controllers.

  Important

This setup is for customers who have a Smoothwall Appliance, either alone or in a Hybrid setup. See Set up IDex Agent to sync Active Directory for Cloud-only setups.

Before you begin

Set your global Authentication Settings as required. Specifically, ensure:

  • You select the checkboxes for Normalize usernames and Users identified by BYOD are subject to firewall rules that make use of groups.
  • If you use the same directory across multiple sites and want to share the authentication status of users between Smoothwall Appliances, for example, in a centrally managed setup, enter the IP addresses of your other Smoothwall Appliances into the Cluster nodes field.

Step 1: Set up auditing of Windows logon events

The IDex Agent reads Security Event ID 4624 from the security event logs. For account logon events to appear in the logs, you must ensure that auditing of Windows logon events is on.

You can configure these settings on each Domain Controller manually or via a Group Policy:

  1. In Windows Group Policy Management, configure the local audit policy with these settings:
  2. If you are using Advanced Auditing, the following settings also need to be configured:
    • Audit: force audit policy subcategory settings: Enabled
    • Audit Logon: Success
    • Audit Logoff: Success

See Microsoft Windows documentation for further help.

Step 2: Install IDex Agent

Download IDex Agent

  1. Go to software.smoothwall.com
  2. Under IDex Agent V2, select Windows x64.

Install on a single Domain Controller

  1. Upload the installation file to the Domain Controller and run it.
  2. Progress through the wizard.
  3. For Web filter host, enter the hostname or IP address of your Smoothwall Appliance.
  4. Leave the UNCL Serial, UNCL API Key and Tenants fields blank.
  5. Finish the installation. You don't need to restart the Domain Controller.

Install on multiple Domain Controllers

Install individually on each Domain Controller, or:

  1. Use a GPO to deploy the installation file.
  2. Deploy the IDexAgent.msi file you downloaded to this location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IDexAgent\Parameters
  3. Configure the registry settings:
    • SmoothwallIPAddr: Select String and enter the IP Address of your Smoothwall.
    • Leave the UNCLSerial, UNCLAPIKey and Tenants fields blank.

(Optional) Ignore specific account sign-ins

IDex picks up service accounts on the domain. You can exclude these accounts to prevent issues with authentication and User Group mappings.

  Important

You’ll need to add this setting again after updating IDex Agent. Save the list, or use a GPO.

  1. Open the registry editor on the Domain Controller running IDex Agent.
  2. In the Registry Editor, expand
    HKLM\SYSTEM\CurrentControlSet\Services\IDexAgent\Parameters.
  3. Create a new String key called LogonExclusions.
  4. For the Value, enter a comma-separated list, in the format domain\user.
  5. Restart the IDex agent service.
  6. Repeat for each of your IDex installs.

(Optional) Turn on DHCP Polling for IDex Agent

If you have IDex Agent on a Domain Controller that also acts as DHCP server, you can use DHCP Polling. DHCP polling updates Smoothwall with DHCP server activity so filtering continues as users change IP addresses.

  1. Sign in to the Domain Controller with IDex Agent installed.
  2. In the Registry Editor, expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IDexAgent\Parameters.
  3. Set the DWORD 32 Bit Type with the name EnableDHCPPoll to 1.
  4. Set the DWORD 32 Bit Type with the name DHCPPollInterval to 1000.
  5. Restart the IDex Agent.

Step 3: Allow IDex Agent to send information to Smoothwall

Add a Smoothwall access rule

  1. Add a Smoothwall access rule with these settings:
    • Source IP addresses: The IP addresses of your Domain Controllers with the IDex Agent installed.
    • Services:
      • IDex cluster (2948, 2949, 26257) in Maiden.
      • IDex cluster (2948) in Leeds.
    • Action: Accepted
  2. Move this rule above any Drop and Reject rules.

Add a Web Proxy Authentication policy

Add one Web Proxy Authentication policy for each internal interface your devices use.

  • Method: Core authentication
  • Interface: Select the interface your devices proxy through for web filtering. Ensure your client devices use this interface for their Internet proxy settings.

Step 4: Set up an IDex Directory in Smoothwall

  1. Set up an IDex Directory.
  2. Map your directory groups to User Groups.