A Primer on IDex Authentication
The ID Indexing System (IDex) provides a way of reliably identifying already authenticated users in a wide variety of wide-area, Active Directory domain networks, where link and speed cannot be guaranteed. The ID Indexing System consists of:
-
IDex Agent Installed on Active Directory domain controllers.
-
IDex Client Installed locally on Windows or MacOS workstations. Not available in Maiden.
-
IDex Cluster Used in a Central Management solution; shares user information between all Smoothwall nodes.
-
IDex Directory A database of authenticated users, which can be used by all Smoothwall services that require user identity information, such as Guardian and the Firewall.
The IDex Directory is a passive connection that receives user information from the IDex Client or IDex Agent, and maps these to local user configuration on the Smoothwall for web filtering, Firewall-ing, and so on, purposes. All user information received is trusted to be correct.
No other configuration is required, other than enabling the directory connection, and the installation of either the Client, the Agent, or both.
How does this differ from the Active Directory configuration in the Smoothwall?
The Active Directory configuration on the Smoothwall is more involved, as the Smoothwall must be able to query the Active Directory domain to verify the user credentials it receives. This also means that other areas of the Smoothwall must be configured with details of your Active Directory domain, such as DNS servers. Your Active Directory servers must also be setup to expect and respond to communication from the Smoothwall.
It should be noted that a failure in communication between the Smoothwall and Active Directory domain controller could result in users being placed in the Unauthenticated IPs group, therefore potentially being blocked from browsing to the Internet.
IDex Directory is suitable if you:
- Have a large centralized or Multi-Tenant deployment.
- Such as a managed service provider, or public sector network.
- Support a large number of independent domains over a wide-area network.
- Connectivity to Active Directory domain controllers is difficult or over a low-bandwidth link.
Installing IDex Agent
Prerequisites
IDex Agent monitors domain logon events and relays these to a Smoothwall - as such, auditing of Windows Logon Events must be enabled.
- In your Windows Group Policy Management, configure the local audit policy with these settings for your domain controller, see the Windows help topic, To configure a setting for a domain controller:
- Audit account logon events: Success
- Audit logon events: Success
Procedure
The latest version of IDex Agent can be downloaded here.
- If you have a single server:
- Upload (or download) the installation file to the server and run it.
- Click through the wizard and when prompted, enter:
-
Web filter host - The host name or IP address of the local Smoothwall or, in such environments, Loadbalancer VIP.
Note: If IDex Agent is being installed to provide domain information to Cloud Filter and/or Monitor only, and not to authenticate domain users to a local Smoothwall Web Filter appliance, this field can be left blank.
-
UNCL Serial, UNCL API Key, Tenants - if you are installing IDex Agent for integration with Cloud Filter or Monitor, the contents for these fields can be found in the Smoothwall Cloud Portal in the Admin Panel under Account Information.
If no Cloud integration is required, leave these fields blank.
-
Web filter host - The host name or IP address of the local Smoothwall or, in such environments, Loadbalancer VIP.
- Finish the installation. You don't need to restart the server.
- To install IDex Agent to multiple Domains Controllers, you can deploy via GPO.
-
- Use a GPO to deploy the installation file, see the Windows help article, Editing Software Settings Using GPMC.
The GPO should:- Deploy the IDexAgent.msi file that you downloaded.
- Configure the registry settings as required:
Location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IDexAgent\Parameters
Key Name Type Value SmoothwallIPAddr String (REG_SZ) IP Address of local Smoothwall/Loadbalancer VIP. UNCLSerial String (REG_SZ) For Cloud Integration: UNCL from Cloud Admin Portal. UNCLAPIKey String (Reg_SZ) For Cloud Integration: API Key from Cloud Admin Portal Tenants String (Reg_SZ) Comma separated list of Tenant ID's from Cloud Admin Portal or On-Prem UI in Multi-Tenant environments. LogonExclusions String (Reg_SZ) OPTIONAL: Comma separated list of domain usernames to not report as authenticated, in format 'domain\user'. Good for ignoring service accounts or NT AUTHORITY\ANONYMOUS USER. See details below. EnableDHCPPoll DWORD 32 Bit OPTIONAL: 0/1 to turn DHCP Polling off or on. See details below. DHCPPollInterval DWORD 32 Bit OPTIONAL: 1000 - for use with DHCP Polling. See details below.
- Use a GPO to deploy the installation file, see the Windows help article, Editing Software Settings Using GPMC.
-
Follow-up Tasks
Smoothwall Web Filter Access Rules and Proxy
To allow the IDex Agent software to comunicate with the Smoothwall Filter and Firewall:
- Add a rule with these settings, see the help topic, Adding new Smoothwall access rules:
- Source IP addresses: The IP addresses of your domain controllers that have the IDex Agent installed.
- Services: IDex Cluster (2948 for Leeds, 2948, 2949 and 26257 for Maiden).
- Action: Accept
- In the Smoothwall Access policy table, move this rule above any block rules you have in place.
- Create a core authentication web filter policy with these settings, see our help topic, Creating authentication policies:
- Non-transparent or Transparent: Choose the type of authentication suitable for your organization. Our knowledge base article, Using Non-Transparent Authentication Policies provides guidance for when to use a non-transparent authentication policy.
- Method: Core authentication
- Interface: Choose the interface that your devices proxy through for web filtering purposes. You might need multiple Core authentication policies if your devices can use more than one internal interface. Make sure that whichever Interface and Port combination that you select here, that your client devices have that set for their Internet proxy settings.
- Where: Everywhere
- Options for Unauthenticated Requests: Add a group to identify and filter unauthenticated requests.
The IDex Agent writes any connection errors to the Application event log of the Windows device prefixed with IDexAgent.
Set up an IDex Directory
Configure an IDex Directory on your Smoothwall Appliance and map your AD groups to your Filter Groups. See our guide here.
OPTIONAL: Ignoring Specific Account Logons
Any service accounts on the domain will be picked up by IDex when called and may cause authentication and group-mapping conflicts for users.
When using IDex agent 2.2.4 and above:
- Open the registry editor on the Domain Controller running IDex Agent.
- Navigate to:
HKLM\SYSTEM\CurrentControlSet\Services\IDexAgent\Parameters. - Create a new 'String' key called 'LogonExclusions'. In the 'Value data' as any users in the format domain\user in a comma separated list.
- Restart the IDex agent service. This will need to be done on all IDex installs.
This parameter has to be re-added after an upgrade of the IDex agent, so make sure to save the list for later use.
OPTIONAL: Enabling DHCP Polling for IDex Agent
When you install the IDex agent on a domain controller that also acts as DHCP server for the local networks, you can turn on the option to look at the DHCP server activity, so that the IDex agent can use an additional tracking mechanism.
Note: You should only do this on Active Directory controllers that are ALSO DHCP servers.
Procedure
- Log on to the domain controller that has the IDex agent installed.
- Open the Registry Editor:
- Locate and expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IDexAgent\Parameters.
- Edit the 32-bit DWORD entry with the name EnableDHCPPoll and a value of '1'.
- Edit the 32-bit DWORD entry with a name of DHCPPollInterval and a value of '1000'.
- Click OK and close the Registry Editor.
- Restart the IDex agent Service.