Using AD Polling for SSO
This example introduces how the domain users access the Internet directly without Web authentication, after logging in the AD domain via configuring AD Polling.
The following shows a network environment. An enterprise sets up a Hillstone security device as the export gateway to connect internal network with the Internet. Only the staffs in R&D department join in the AD domain (scep.pki.com), while the staffs in marketing department are excluded. The security device enables Web authentication. All the staffs of the enterprise are allowed to access the Internet only after they pass the authentication. After the AD Polling being configured, there will be login logs when staff in R&D department login though the AD server (Log in the PC which is added into the AD domain through domain user name and password). The device can check the logs through AD Polling, as well as obtain authentication users information on the AD server. With this information, staff of R&D department can access the Internet directly without Web authentication.
Before configuring the AD Polling function, prepare the following first:
- The AD server has been set up according to the user network environment.
- To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should open the RPC service and remote management. To enable the RPC service, you need to enter the Control Panel > Administrative Tools > Services and open the Remote Procedure Call and Remote Procedure Call Locator; to enable the remote management, you need to run the command prompt window (cmd) as administrator and enter the command netsh firewall set service RemoteAdmin
- To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should permit WMI function to pass through Windows firewall. Select Control Panel >System and Security> Windows Firewall >Allow an APP through Windows Firewall, in the Allowed apps and features list, click the corresponding check box of Domain for Windows Management Instrumentation (WMI) function.
The security device should be configured with related policy to protect the AD server, which may result in the port used by WMI service (port 135 and random port) being restricted by policy. Therefore, it’s necessary to configure another policy ( the source IP is the IP address of ethernet0/3) allows all interface traffic to pass through.
- The rule has been configured on the security device that all the staff of the enterprise should pass the Web authentication before they access the Internet. For the detailed configuration method, please see Allowing the Internet Access via User Authentication.
|Step 4: Configuring AD Polling in StoneOS|
Select Object > SSO Client > AD Polling, click Create and enter AD Polling Configuration page.
Click OK to finish AD Polling configuration.