Active Directory integration
NxFilter supports Active Directory integration. We tried to make it simple and easy but some people still find it hard to follow.
So, we want to explain what Active Directory integration is for NxFilter and when to use it, how to
implement it at a conceptual level.
What is Active Directory integration?
One of the reasons for people wanting to integrate NxFilter into Active Directory is that they want
to apply filtering policies based on Active Directory user and group. They also don't want to
have their users going through any extra login step except when the login prompt to their own PCs.
So, to NxFilter, Active Directory Integration means to use the same user account from your Active Directory
for differentiating users on NxFilter and having single sign-on with Active Directory.
User importation
Now we know what Active Directory integration is and why we need it. However, how do we implement it?
The first thing you need to do is to import the users and groups from Active Directory. You need to introduce
your users and groups to NxFilter. You can do that on 'User > Active' Directory.
After you import your users and groups, your users will be able to use their Active Directory credentials on NxFilter's login page. So, we already achieved Active Directory integration to a certain level.
If you want to exlcude the machin created users and groups from AD importation, read
How to import only the users and groups created manually from Active Directory excluding machine created ones
Single sign-on with Active Directory
While your users can use their Active Directory credentials on NxFilter's login page, they might not want to go through
NxFilter's login page. So, the next thing you need to do is to implement single sign-on. Now you need one of our agent programs
working with NxFilter. We have several agents: NxLogon, VxLogon, NxMapper, CxLogon. You can use just one of them or mix and match
them to complement each other.
For more information, read single sign-on or agent related parts of this tutorial.
MS DNS server and NxFilter
When you deploy NxFilter in an Active Directory environment you might be worrying about the possibility
of breaking the integrity of Active Directory since NxFilter is a DNS server and the role of a DNS server
in Active Directory is very important. However, we don't disable or replace the existing MS DNS server.
Our approach is to work with the existing DNS server in cooperation. So, you have to maintain
your existing MS DNS server even though you use NxFilter as the DNS server for your network.
1. Where to install it
Some people try to install NxFilter on their domain controller. But the problem is that you already have a DNS server
there. It is your MS DNS server. It would be better to install it on another system to avoid of having
a port collision problem.
If you have to install NxFilter on a domain controller, watch our Youtube video tutorial
about that,
Install NxFilter on Windows server without having DNS port collision
2. Bypass AD domains
MS DNS server in Active Directory does a lot of things. It lets the hosts in Active Directory find
the location of resources using SRV queries. And it maintains a DNS zone for every host. It does dynamic
host IP update when you change an IP address of a system. To keep all these things working, NxFilter bypasses
the internal DNS queries for Active Directory domain to MS DNS server automatically.
This auto-bypass works based on your AD user importation setup. If you don't want to import users from AD or if you want to do it
manually, you can use Local DNS and Local Domain options on 'DNS > Setup'. When you do it manually, you have to bypass your reverse lookup
domain as well.
3. Which upstream server for NxFilter
You might have a question about which DNS server you should use as the upstream server for NxFilter because
you already have your MS DNS server. Simply speaking, you can use any DNS server you think the best.
Even if you use a public DNS server from the internet as its upstream server, NxFilter still forwards
the Active Directory internal DNS queries to your MS DNS server.
4. Manual setup for MS DNS server
After you import Active Directory users and groups, NxFilter will try to connect to your MS DNS server automatically
assuming it is on your domain controller. However, you may have your MS DNS server on another Windows server. Or you may
want to have a redundancy for your MS DNS server. You can deal with those things on the edit page of your Active Directory
importation setup. For having redundancy, add multiple DNS servers separated by commas.
You might need to allow Nonsecure Dynamic Update on your MS DNS zone properties for NxFilter to update
the IP addresses of the hosts in your MS DNS zone dynamically.
Filtering multiple branch offices
You may have your Active Directory over multiple branch offices and want to filter all the branch offices with one NxFilter server.
You can do that by running NxRelay in each branch office.
To find out more, read NxRelay for whole network part.