Active Directory integration
NxFilter supports Active Directory integration. We tried to make it simple and easy but some people still find it hard to follow. So, we want to explain what Active Directory integration is for NxFilter and when to use it, how to implement it at a conceptual level.
What is Active Directory integration?One of the reasons for people wanting to integrate NxFilter into Active Directory is that they want to apply filtering policies based on Active Directory user and group. They also don't want to have their users going through any extra login step except when the login prompt to their own PCs. So, to NxFilter, Active Directory Integration means to use the same user account from your Active Directory for differentiating users on NxFilter and having single sign-on with Active Directory.
User importationNow we know what Active Directory integration is and why we need it. However, how do we implement it? The first thing you need to do is to import the users and groups from Active Directory. You need to introduce your users and groups to NxFilter. You can do that on 'User > Active' Directory. After you import your users and groups, your users will be able to use their Active Directory credentials on NxFilter's login page. So, we already achieved Active Directory integration to a certain level.
If you want to exlcude the machin created users and groups from AD importation, read How to import only the users and groups created manually from Active Directory excluding machine created ones
Single sign-on with Active DirectoryWhile your users can use their Active Directory credentials on NxFilter's login page, they might not want to go through NxFilter's login page. So, the next thing you need to do is to implement single sign-on. Now you need one of our agent programs working with NxFilter. We have several agents: NxLogon, VxLogon, NxMapper, CxLogon. You can use just one of them or mix and match them to complement each other.
For more information, read single sign-on or agent related parts of this tutorial.
MS DNS server and NxFilterWhen you deploy NxFilter in an Active Directory environment you might be worrying about the possibility of breaking the integrity of Active Directory since NxFilter is a DNS server and the role of a DNS server in Active Directory is very important. However, we don't disable or replace the existing MS DNS server. Our approach is to work with the existing DNS server in cooperation. So, you have to maintain your existing MS DNS server even though you use NxFilter as the DNS server for your network. 1. Where to install it
Some people try to install NxFilter on their domain controller. But the problem is that you already have a DNS server there. It is your MS DNS server. It would be better to install it on another system to avoid of having a port collision problem.2. Bypass AD domains
If you have to install NxFilter on a domain controller, watch our Youtube video tutorial about that, Install NxFilter on Windows server without having DNS port collision
MS DNS server in Active Directory does a lot of things. It lets the hosts in Active Directory find the location of resources using SRV queries. And it maintains a DNS zone for every host. It does dynamic host IP update when you change an IP address of a system. To keep all these things working, NxFilter bypasses the internal DNS queries for Active Directory domain to MS DNS server automatically.3. Which upstream server for NxFilter
This auto-bypass works based on your AD user importation setup. If you don't want to import users from AD or if you want to do it manually, you can use Local DNS and Local Domain options on 'DNS > Setup'. When you do it manually, you have to bypass your reverse lookup domain as well.
You might have a question about which DNS server you should use as the upstream server for NxFilter because you already have your MS DNS server. Simply speaking, you can use any DNS server you think the best. Even if you use a public DNS server from the Internet as its upstream server, NxFilter still forwards the Active Directory internal DNS queries to your MS DNS server.4. Manual setup for MS DNS server
After you import Active Directory users and groups, NxFilter will try to connect to your MS DNS server automatically assuming it is on your domain controller. However, you may have your MS DNS server on another Windows server. Or you may want to have a redundancy for your MS DNS server. You can deal with those things on the edit page of your Active Directory importation setup. For having redundancy, add multiple DNS servers separated by commas.
You might need to allow Nonsecure Dynamic Update on your MS DNS zone properties for NxFilter to update the IP addresses of the hosts in your MS DNS zone dynamically.
Filtering multiple branch officesYou may have your Active Directory over multiple branch offices and want to filter all the branch offices with one NxFilter server. You can do that by running NxRelay in each branch office. To find out more, read NxRelay for whole network part.