Allowing Internet Access via AD Agent
This example introduces how to configure AD agent to allow users to access the Internet.
The following shows a network environment. An enterprise sets up a Hillstone security device as the export gateway to connect internal network with the Internet. All the staff in the R&D department and marketing department join in the AD domain (scep.pki.com). After the AD Agent being configured, there will be login information when staffs login though the AD server (Log in the PC which is added into the AD domain through domain user name and password). The AD Security Agent will send the authentication users information ( user name and IP) to system. With the user-based security policy, only the R&D manager can access the Internet, while other staffs of the R&D department cannot access the Internet, and the staff of the marketing department can access the Web service based on HTTP or HTTPS.
Before configuring the AD Agent function, prepare the following first:
- The AD server has been set up according to the user network environment.
- To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should open the RPC service and remote management. To enable the RPC service, you need to enter the Control Panel > Administrative Tools > Services and open the Remote Procedure Call and Remote Procedure Call Locator; to enable the remote management, you need to run the command prompt window (cmd) as administrator and enter the command netsh firewall set service RemoteAdmin
- To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should permit WMI function to pass through Windows firewall. Select Control Panel >System and Security > Windows Firewall >Allow an APP through Windows Firewall, in the Allowed apps and features list, click the corresponding check box of Domain for Windows Management Instrumentation (WMI) function.
The security device should be configured with related policy to protect the AD server, which may result in the port used by WMI service (port 135 and random port) being restricted by policy. Therefore, it’s necessary to configure another policy ( the source IP is the IP address of ethernet0/3) allows all interface traffic to pass through.
- The rule has been configured on the security device that all the staff of the enterprise should pass the Web authentication before they access the Internet. For the detailed configuration method, please see Allowing the Internet Access via User Authentication.
|Step 3: Install and configure AD Security Agent in AD server.|
Click Commit to commit the above configurations and start the AD Agent service.
|Step 6: Verify result|
After all the above configurations being finished, only the R&D manager can access the Internet, while other staffs of the R&D department cannot access the Internet, and the staff of the marketing department can access the Web service based on HTTP or HTTPS.