Smoothwall Filter & Firewall: Installing IDex Agent on Your Domain Controller

A Primer on IDex Agent

The IDex Agent is an out-of-band authentication method developed by Smoothwall to address some of the shortcomings of in-band authentication methods, such as Kerberos or NTLM, in large scale networks, or situations where the link quality between the Smoothwall Appliance and the DC cannot be guaranteed. 

The IDex Agent is a software package that is installed to all Domain Controllers in a Windows Domain. It looks for audited logon events created on the domain and reports the details of these to the Smoothwall where the user and their IP address are added to the authentication table - any traffic from that user's IP address is then married up to the logged in user and their mapped domain groups.

Prerequisites

1. In the Smoothwall Filter and Firewall, add an IDex directory and map the user groups, see our help topic, Adding an IDex directory.
2. In your Windows Group Policy Management, configure the local audit policy with these settings for your domain controller, see the Windows help topic, To configure a setting for a domain controller:
   • Audit account logon events: Success
   • Audit logon events: Success

Procedure

On the product downloads page, https://customer.smoothwall.net/download, under the IDex Agent section, download the version you need.

• If you have a single server:
  1. Upload the installation file to the server and run it.
  2. Click through the wizard and when prompted, enter:
     
     1. Web filter host - The the host name or IP address of the Smoothwall configured for communicating with the IDex Agent for which an access rule for IDex cluster has been configured.
     2. Web filter port - Use default Port 2948 for most implementations.
  3. Finish the installation. You don't need to restart the server.
• If you have several servers, you can either:
  • Use the command line to deploy the installation file:
    • Create a script including the following command line: msiexec /i "path-to-installer.msi" SMOOTHWALLIP="<host>" /quiet
      where:
      • path_to_installer is the full network path to the location of IDexAgent.msi.
      • host is the hostname or IP address of the Smoothwall explicitly configured for IDex Agent — see IDex Cluster nodes.
  • Use a GPO to deploy the installation file, see the Windows help article, Editing Software Settings Using GPMC. The GPO should:
    1. Deploy the IDexAgent.msi file that you downloaded.
    2. Configure the registry settings:
       1. Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IDexAgent\Parameters
       2. Value: SmoothwallIPAddr -The host name or IP address of the Smoothwall explicitly configured for communicating with the IDex agent
          • Type: String

Follow-up Tasks

You need to let the IDex Agent through the Smoothwall Filter and Firewall:

1. Add a rule with these settings, see the help topic, Adding new Smoothwall access rules:
   • Source IP addresses: The IP addresses of your domain controllers that have the IDex Agent installed.
   • Services: IDex Cluster (2948).
   • Action: Accept
2. In the Smoothwall access table, move this rule above any block rules you have in place.
3. Create a core authentication web filter policy with these settings, see our help topic, Creating authentication policies:
   • Non-transparent or Transparent: Choose the type of authentication suitable for your organization. Our knowledge base article, Using  Non-Transparent Authentication Policies provides guidance for when to use a non-transparent authentication policy.
   • Method: Core authentication
   • Interface: Choose the interface that your devices proxy through for web filtering purposes. You might need multiple Core authentication policies if your devices can use more than one internal interface. Make sure that whichever Interface and Port combination that you select here, that your client devices have that set for their Internet proxy settings.
   • Where: Everywhere
   • Options for Unauthenticated Requests: Add those group names where detected unauthenticated users are placed.

The IDex Agent writes any connection errors to the Application event log of the Windows device prefixed with IDexAgent.

Any service accounts on the domain will be picked up by IDex when called and may cause authentication and group-mapping conflicts for users.

When using iDex agent 2.2.4 and above, a parameter can be added in the 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IDexAgent\Parameters' folder. Create a string value called 'LogonExclusions' and add any usernames in a comma separated list. Once done, restart the iDex agent service. This will need to be done on all iDex installs.

The older method to prevent this, was to add a $ symbol to the end of the service account name, ie. domain\some_service$. Idex Agent will ignore any account that ends in a $ symbol.