In WinRoute, it is possible to directly use user accounts from one or more Active Directory domain(s). This feature is called either transparent support for Active Directory or Active Directory domain(s) mapping. The main benefit of this feature is that the entire administration of all user accounts and groups is maintained in Active Directory only (using standard system tools). In WinRoute, a template can be defined for each domain that will be used to set specific WinRoute parameters for user accounts (access rights, data transfer quotas, content rules — see chapter 15.1 Viewing and definitions of user accounts). If needed, these parameters can also be set individually for any accounts.
Note: The Windows NT domain cannot be mapped as described. In case of the Windows NT domain, it is recommended to import user accounts to the local user database (refer to 15.3 Local user database: external authentication and import of accounts)
The following conditions must be met to enable smooth functionality of user authentication through Active Directory domains:
For mapping of one domain:
The WinRoute host must be a member of the corresponding Active Directory domain.
The Active Directory domain controller (server) must be set as the primary DNS server.
For mapping of multiple domains:
The WinRoute host must be a member of one of the mapped domains.
It is necessary that this domain trusts any other domains mapped in WinRoute (for details, see the documentation regarding the operating system on the corresponding domain server).
For DNS configuration, the same rules are followed as for mapping of a single domain (DNS server must be a domain server of the domain which the WinRoute's host belongs to).
To set Active Directory domain mapping, go to:
the Administration Console, section Users and groups → Users, the Active Directory tab,
in the Web Administration interface, section Users and Groups → Domains and authentication, the Active Directory.
If no domain mapping has been defined yet or only one domain is defined, the Active Directory tab already includes predefined parameters customized for the domain mapping.
In the top part of the Active Directory tab, it is possible to enable/disable mapping of user accounts from the Active Directory domain to WinRoute.
The Active Directory domain name entry requires full DNS name of the mapped domain (e.g. company.com
, company
would not be satisfactory). For your better reference, it is also recommended to provide a short description of the domain (especially if more domains are mapped).
In the Domain Access section, specify the login user name and password of an account with read rights for the Active Directory database (any user account within the domain can be used, unless blocked).
Click
to set parameters for communication with domain servers:It is possible to let WinRoute connect automatically to a specified server or to search for a domain server. The automatic connection to the first server available increases reliability of the connection and eliminates problems in cases when a domain controller fails. The other option (specification of a controller) is recommended for domains with one server only (speeds the process up).
Encrypted connection — to increase security of the communication with the domain server, encrypted connection can be used (thus, the traffic cannot be tapped). In such a case, encrypted connection must be enabled at the domain server. For details, refer to documents regarding the corresponding operating system.
For the Active Directory domain, NTLM is also available as an authentication method. This option is required if you intend to use automatic authentication in web browsers (see chapter 25.3 Automatic user authentication using NTLM).
For NTLM authentication, name of the NT domain corresponding with the domain specified in the Active Directory domain is required.
For mapping from multiple Active Directory domains, click on .
Click to switch the Active Directory tab to the mode where domains are listed.
One domain is always set as primary. In this domain, all user accounts where the domain is not specified, will be searched (e.g. jsmith
). Users of other domains must login by username including the domain (e.g. drdolittle@usoffice.company.com
).
Use the Active Directory tab in administration of an only domain (see above).
or the button to define a new domain. This dialog includes the same parameters as theNote:
By default, the domain defined first is set as primary. You can use the
button to set the selected domain as primary.Membership of WinRoute in the domain is not necessarily required for primary domains (see Domain mapping requirements). Settings of the primary domain only define which users will be allowed to login to WinRoute (i.e. to the web interface, to the SSL-VPN interface, to the WinRoute administration, etc.) using the username without domain.
During Active Directory domain mapping, collision with the local user database may occur if a user account with an identical name exists both in the domain and in the local database. If multiple domains are mapped, a collision may occur only between the local database and the primary domain (accounts from other domains must include domain names which make the name unique).
If a collision occurs, a warning is displayed at the bottom of the User Accounts tab. Click on the link in the warning to convert selected user accounts (to replace local accounts by corresponding Active Directory accounts).
The following operations will be performed automatically within each conversion:
substitution of any appearance of the local account in the WinRoute configuration (in traffic rules, URL rules, FTP rules, etc.) by a corresponding account from the Active Directory domain,
removal of the account from the local user database.
Accounts not selected for the conversion are kept in the local database (the collision is still reported). Colliding accounts can be used — the accounts are considered as two independent accounts. However, under these circumstances, Active Directory accounts must be always specified including the domain (even though it belongs to the primary domain); username without the domain specified represents an account belonging to the local database. However, as long as possible, it is recommended to remove all collisions by the conversion.
Note: In case of user groups, collisions do not occur as local groups are always independent from the Active Directory (even if the name of the local group is identical with the name of the group in the particular domain).