You are here: Cookbook > Authentication > Allowing Internet Access via AD Agent

Allowing Internet Access via AD Agent

This example introduces how to configure AD agent to allow users to access the Internet.

The following shows a network environment. An enterprise sets up a Hillstone security device as the export gateway to connect internal network with the Internet. All the staff in the R&D department and marketing department join in the AD domain (scep.pki.com). After the AD Agent being configured, there will be login information when staffs login though the AD server (Log in the PC which is added into the AD domain through domain user name and password). The AD Security Agent will send the authentication users information ( user name and IP) to system. With the user-based security policy, only the R&D manager can access the Internet, while other staffs of the R&D department cannot access the Internet, and the staff of the marketing department can access the Web service based on HTTP or HTTPS.

Preparation

Before configuring the AD Agent function, prepare the following first:

  • The AD server has been set up according to the user network environment.
  • To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should open the RPC service and remote management. To enable the RPC service, you need to enter the Control Panel > Administrative Tools > Services and open the Remote Procedure Call and Remote Procedure Call Locator; to enable the remote management, you need to run the command prompt window (cmd) as administrator and enter the command netsh firewall set service RemoteAdmin
  • To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should permit WMI function to pass through Windows firewall. Select Control Panel >System and Security > Windows Firewall >Allow an APP through Windows Firewall, in the Allowed apps and features list, click the corresponding check box of Domain for Windows Management Instrumentation (WMI) function.
  • The security device should be configured with related policy to protect the AD server, which may result in the port used by WMI service (port 135 and random port) being restricted by policy. Therefore, it’s necessary to configure another policy ( the source IP is the IP address of ethernet0/3) allows all interface traffic to pass through.

  • The rule has been configured on the security device that all the staff of the enterprise should pass the Web authentication before they access the Internet. For the detailed configuration method, please see Allowing the Internet Access via User Authentication.

Configuration Steps

Step 1: Create a new domain user on the AD server and configuring the user as the Domain Admins group.  

Access the PC with AD server, select Start > Administrative Tools > Active Directory Users and Computers, and enter the Active Directory Users and Computers page.

 

Right-click Users and select New Object > User. Click Next.

  • First name: test

  • User logon name: test@scep.pki.com

Configure a password on the New Object- User page, and click Next.

  • Password: Hillstone123456

  • Confirm password: Hillstone123456

  • Password never expires: Select the check box

 

Click Finish to finish the creating of domain user test.

In the user list, right-click test and select Add to group. Click OK.

  • Enter the object names to select: Domain Admins

Step 2: Add PCs of R&D staff into the AD domain (taking the PC of R&D manager as example).  

Select Control Panel > Network and Internet > Network and Sharing Center to check the attribute of network connection. Double-click Internet Protocol Version 4 (TCP/IPv4), enter the Internet Protocol Version 4 (TCP/IPv4) Properties page and change the IP address of Preferred DNS server to the IP address of AD domain controller.

  • Preferred DNS server: 10.180.201.8

  • Alternate DNS server: 8.8.8.8

     

Search cmd in the Start menu and double-click to open the command prompt(cmd) application window, so as to make sure that the PC can be connected to the AD domain controller(scep.pki.com).

Select Control Panel > System and Security > System > Computer name, domain, and workgroup settings > Change settings, and add the PC into the AD domain (scep.pki.com). Click OK.

  • Domain: scep.pki.com

In the Windows security dialog box, enter Domain name\User name and Password. The user name should be the one in the Domain Admins group.

  • Domain name\User name: scep\test

  • Password: Hillstone123456

     

 

 

 

 

After the PC being added in the AD domain (scep.pki.com) successfully, restart the computer to make it take effect.

 
Step 3: Install and configure AD Security Agent in AD server.
  1. Click http://swupdate.hillstonenet.com:1337/sslvpn/download?os=windows-adagent to download an AD Security Agent installation program, and copy it to the AD server.

  2. Double-click ADAgentSetup.exe to open it and follow the installation wizard to install it.
  3. Double-click the AD Agent Configuration Tool shortcut, and the AD Agent Configuration Tool dialog pops up.
  4. Click the General tab.
    • Agent Port: 6666

    • AD User Name: scep\test
    • Password: Hillstone123456

    • Server Monitor: Select the Enable Security Log Monitor check box, and configure the Monitor Frequency as 5 seconds
    • Client Probing: Select the Enable WMI probing check box, and configure the Probing Frequency as 20 minutes

Click Commit to commit the above configurations and start the AD Agent service.

 
Step 4: Configure AD server parameters in StoneOS.

Select Object > AAA server, and select Active Directory Server from the newly created drop-down list.

  • Server Name: ad-polling
  • Server Address: 10.180.201.8
  • Base-dn: dc=scep,dc=pki,dc=com
  • Login-dn: cn=test,cn=users,dc=scep,dc=pki,dc=com
  • sAMAccountName: test
  • Authentication Mode: MD5
  • Password: Hillstone123456
  • Security Agent: Select the check box, and configure the Agent Port as 6666

Click OK to finish AD server configuration.

 

Step 5: Configure policies  

Configuring a policy to allow the manager of R&D department to access the Internet

Select Policy > Security Policy, and click New.

  • Name: manager
  • Source
    • Zone: trust
    • Address: any
    • User: Select the user name "test" of R&D manager
  • Destination
    • Zone: untrust
    • Address: any
  • Other Information
    • Action: Permit

Configuring a policy to allow the staff of the marketing department to access the Web service based on HTTP or HTTPS

Select Policy > Security Policy, and click New.

  • Name: market
  • Source
    • Zone: trust
    • Address: any
    • User: Select the user group "market" of the marketing department
  • Destination
    • Zone: untrust
    • Address: any
  • Other Information
    • Service: HTTP, HTTPS
    • Action: Permit
Adjusting the priority of policies
  1. Select Policy > Security Policy to enter the Security Policy page.
  2. Select the check box of "manager" and "market" policies, and click Move.
  3. Type the ID (2) of the second WebAuth policy into the ToID text, and click After ID.
Step 6: Verify result  

After all the above configurations being finished, only the R&D manager can access the Internet, while other staffs of the R&D department cannot access the Internet, and the staff of the marketing department can access the Web service based on HTTP or HTTPS.