Introduction
For this setup Administrator privileges are required
Welcome and Thank you for showing interest in our AirID VIRTUAL product.
in this article we guide you, the admin, through the setup process for your AirID VIRTUAL instance,
meaning in the following steps we will be going through every single step of your AirID VIRTUAL setup.
We will start with checking for the necessary certificates to be present and make sure that your firewall and user
permissions are set up. Also we will provide you with some tips and hints on each step to make this as easy as possible for you.
So without further ado lets start.
During this guide we are going to reference the AirID VIRTUAL Domain Controller Server Diagnostics Tool, make sure you download it before starting with the setup.
This tool doesn't require an Installation but helps with deploying the certificates on your domain controller, but more on that later on.
Hint
Download the AirID VIRTUAL Domain Controller Server Diagnostics Tool here
Create Required Certificates for Secure Organizational Setup
To securely connect AirID VIRTUAL to your Domain Controller we first need a list of certificates for specific purposes, them beeing:
- your domain controller certificate - will be needed for the smarcard logon capabilities of Windows 10
- your LDAPS certificate - which is needed for a secure and encrypted connection to your domain controller
- our Issueing certificate - which you will need to trust the certificates provided by AirID VIRTUAL
In case you already have an Domain Controller certificate or an LDAPS certificate in place you can skip those but we would advise you to go through the whole article.
Creating the Domain Controller certificate is the first step towards your AirID Virtual installation,
it is needed to enable your Windows Domain Controller to support the smartcard logon capabilities of Windows 10.
First you should check if your Domain Controller already has a Domain Controller certificate Installed.
You can do this by simply running our AirID VIRTUAL Domain Controller Server Diagnostics Tool on your Domain Controller.
If the Domain Controller shows a red "X" on the Domain Controller certificate tab there is no such certificate
Now onto creating your domain controller certificate
In case you skipped the step, the AirID VIRTUAL Domain Controller Server Diagnostics Tool can be found here.
So if you don't already have a domain controller certificate you can simply create one during the setup by clicking this "Create Domain Controller Certificate" button presented to you on your setup page.
As a next step fill out the presented form on screen as follows
FQDN | Fully Qualified Domain Name of your server - in case you don't know this simply type the command
in your cmd or powershell terminal |
---|---|
Password | Set a password for this certificate, this is needed for the import on your domain controller later on |
After clicking the create button the certificate will be downloaded via browser to your PC and imported on your Domain Controller using the Domain Controller Server Diagnostics Tool in the next section.
b) Create LDAPS certificate using "Server Diagnostics Tool"
Now lets head on to the LDAPS certificate.
Enableing LDAPS not only secures the connection to your LDAP over SSL it is also recommended by Microsoft and is required in future updates of your Windows Operating System.
Like with the Domain Controller certificate before, you can also check if a LDAPS certificate is present on your Domain Controllers system by checking the Domain Controller Server Diagnostics Tool on your Domain Controller.
If it shows up with a little green checkbox you can click "Export Certificate" and skip to the Export LDAPS Certificate part.
If the red X appears continue by clicking the Generate "New Certificate" Button
To create your self-signed LDAPS certificate, simply click the button "Generate New certificate" and fill out the form presented to you on screen and explained in the next section.
.
C - 2 characters ISO country code | This field is required and requires a 2 character country code, for example "DE", "US", "GB" or "CZ" |
---|---|
ST - state | This field is optional and references the state or province you're located for example "Hessen" or "North Rhine Westphalia". We suggest leaving this field blank. |
L - location | this field is optional Location would mean the exact location e.g. "Berlin" or "London" and is also not required, therefore we also suggest leaving this field blank |
O - Company Name | This field is required and requires the organization e.g. company name. |
OU - Organizational Unit | This field is optional |
CN - common name | This field is required and references the exact dns name of the domain controller you're installing the ldaps certificate on. |
DNS2 - subject alternative name | This field is optional and can hold a secondary dns name, for example it can be an external dns entry for your LDAPS connection. |
IP - IPv4 Adress of the Server | This field is required and we need the external IP address of where the AirID VIRTUAL service will connect to your external LDAPS connection leading to your Domain Controller. For more information forward to the section <add marker> "Prepare the Firewall". |
After clicking "OK" on the form you already enabled ldaps on your domain controller.
don't worry normal LDAP ports will still continue to work until manually disabled on your Domain Controller.
you now need to export the public part of the certificate by clicking "export certificate" which will download it on your Domain Controller first.
You should then proceed and copy it onto your PC as we need them in the next step "2 Configuring Active Directory"
In this step you download the AirID VIRTUAL issuing certificate.
This is required for the trust relationship between your Active Directory and the AirID VIRTUAL authentication service and will also be imported on your Domain Controller using the Domain Controller Server Diagnostics Tool.
Import Certificates on your Domain Controller using the Server Diagnostics Tool
Now that we have all certificates
- your domain controller certificate
- your LDAPS certificate
- our Issueing certificate
you need to upload your certificates onto your Domain Controller using the Domain Controller Server Diagnostics Tool.
For the Domain Controller certificate click the "import" button on the "Domain Controller certificate" section and select the Domain Controller Certificate we previously created.
A prompt for the password will appear, where you enter the password you set for this certificate earlier.
After the import was successful your Tool should look like this
As for the Issuing certificate, simply repeat the import process and select the Issuing certificates you previously downloaded. In this step no password is required.
Prepare a Read-Only user in Active Directory
For this simply create a dedicated AD service-user for the AirID VIRTUAL Service in your domain forest.
The username can be freely choosen and can be changed in the AirID VIRTUAL Admin Settings anytime
once the initial setup is done.
Prepare AD Groups for Users and Admins
Along with the read-only user we just created, we need 2 AD groups to differentiate between Admins and Users inside the AirID VIRTUAL Portal.
The Groupnames for these are "AVS-Admin" and "AVS-User" and are case sensitive.
Attention: These names are case sensitive
- AVS-Admin
- AVS-User
Prepare The Firewall
So to be able to safetly and securely connect AirID VIRTUAL to your Domain Controller, we need to prepare a so called Network Adress Translation or a Port Forward (depending on the ports you're going to use).
In the described scenario below we are using a Port Forward.
This happens in 3 relatively easy steps.
- we need to know where the traffic will come from e.g. our IP's
- we need to know where the traffic will go to e.g. your IP's
- we need to know which port to connect to e.g. your external LDAPS port
13.69.68.64 52.157.195.82 52.236.181.25 104.40.185.11 40.118.13.254 40.68.240.155 52.142.214.122 52.166.232.66 40.115.43.232 23.97.169.51
As for the IP adresses of AirID Virtual, e.g. where the communication will come from
here is a simple list of IP adresses
Source Adress: "Our IP List"
Source Port: "Any"
Destination Adress "Your Public IP"
Destination Port "Your Definied Public LDAPS Port"
Redirect Adress "your internal Domain Controller Adress"
Redirect Port "you internal LDAPS Port usually 636"
Source Adress | this references the adress or adresses the firewall expects the traffic to originate from |
---|---|
Source Port | basicly the same as with the source adress this is the source port the firewall expects the traffic to originate from |
Destination Adress | this adress is defined by you and/or your IT as you configure the interface where we will connect to in step 2 "Configuring Active Directory" |
Destination Port | this port is also defined by you and/or your IT and can be freely choosen, we also strongly suggest not going for LDAPS std. port ranges here, meaning a port number >5000 |
Redirect Adress | The adress the firewall redirects the matching traffic to e.g. your domain controller |
Redirect Port | The port the firewall redirect the traffic to e.g. your internal LDAPS port (usually 636) |