Active Directory integration over cloud with v4.2.5 of NxFilter and NxCloud.

[Jahastech]

Active Directory integration over cloud is now possible. We use NxRelay for this. For NxFilter, it's a full scale Active Directory implementation. For NxCloud, it's still partial implementation. However, even with NxCloud, your operators will be able to see Active Directory username on their GUI log-view and they can apply a specific policy based on Active Directory username.

To find out more read the tutorial part on the following link,
  http://www.nxfilter.org/tutorial.html#ad-integration-nxrelay

[Jose Antonio Saavedra Añez]

I do not know where I should place the IP of my server nxcloud. ??

In logging signal, I see the communication between nxrelay and the operator console ...

My question is the following:

Configure the operator token in nxrealy.

Now as I must do for other users. from the local network ...

The tutorial is not clear ..

Help me please.

[Jose Antonio Saavedra Añez]

On DHCP Server what´s setup DNS Primary and Secundary...???

[Jahastech]

Your NxCloud is a policy server for NxRelay. So set your NxRelay's server_ip to be your NxCloud IP.

And NxRelay is a relaying DNS server for your local network. For your users, NxRelay is the DNS server for them.

[Jose Antonio Saavedra Añez]

Error !!

[Jahastech]

Use NxRelay as your only DNS server. It's a relaying DNS server.

[Jahastech]

I guess you installed it on a domain controller. Did you add one more IP and set it listening only one IP? Otherwise you get a port collision problem.

This is for NxFilter but it's also effective for NxRelay.
  https://www.youtube.com/watch?v=v2iIuhcTpsU

And use the latest version of NxCloud and NxRelay.

[Jahastech]

If it is a port collision read this first.
  http://www.nxfilter.org/doc/faq.html#bind-ip

And check your log file first.

[Jose Antonio Saavedra Añez]

So, my dhcp config : IP, netmas, gateway DNS1: nxrelay.(X.X.X.55)

IP MS AD: 1th: X.X.X.50

                  2th: X.X.X.55  (Created for NXRELAY).

DNS1: X.X.X.55

CONFIG nxrelay:

server: nxcloud ip.

login token: token operator.

localdns: X.X.X.50

domain: xxxx.local

listen ip: X.X.X.55

This configuration correct?

[Jahastech]

It seems OK. Test it and if you have a problem enable debugging on both NxRelay and NxCloud and show me your log files.

[Jose Antonio Saavedra Añez]

Ok, now last error! install nxrelay as services...

[Jahastech]

So what did it say in your log file? /nxrelay/log/nxrelay.log.

[Jose Antonio Saavedra Añez]

I send the log nxrelay

[Jahastech]

ERROR [04-22 20:18:17] - USr, java.net.BindException: Address already in use: Cannot bind
 INFO [04-22 20:18:17] - USr, Couldn't bind UDP/53. You might want to check your permission!

Try to run it on CMD and see if you stil have that port collision. And read the tutorial or watch the tutorial video and probably set your MS DNS to listen just one IP.

[Jahastech]

Judging by these log,
 

 INFO [04-22 21:19:13] - EventMon.readEvent, evtId = 4624, uname = ANONYMOUS LOGON, ip = 180.180.1.13, evt = S-1-0-0,-,-,0x0,S-1-5-7,ANONYMOUS LOGON,NT AUTHORITY,0x14b9f7,3,NtLmSsp ,NTLM,SRVBIOMETRIC,{00000000-0000-0000-0000-000000000000},-,NTLM V1,128,0x0,-,180.180.1.13,2708.
 INFO [04-22 21:19:13] - EventMon.readEvent, 180.180.1.13 - ANONYMOUS LOGON, added into IP session dictionary.
 INFO [04-22 21:19:28] - DnsStats.flush, udpCnt = 5, aclDropCnt = 0, queryCnt = 5, customCnt = 0, authRediCnt = 0, authDropCnt = 0
 INFO [04-22 21:19:28] - NPr, Sending PING.

It may work fine. What do you see on your NxCloud log-view then?

[Jose Antonio Saavedra Añez]

It´s fine ..!!

Today only logs, user administrator connect for me... on AD.

Tomorrow login the users... how view request their.??

[Jose Antonio Saavedra Añez]

This error it´s because, set up firewall forwarding port udp 53. NXCLOUD----> NXRELAY Now config and connect fine.

[Jahastech]

What do you mean by 'Tomorrow login the users... how view request their'? I don't understand what you are saying.

[Jahastech]

Befoer you ask, read our tutorial thoroughly. Active Directory implementation with NxCloud is still partial. It's not full scale. If you want a full scale solution, go with NxFilter combined with NxRelay. You can import users and groups with them.

[Jose Antonio Saavedra Añez]

Ok, now I'm configuring nxcloud and nxrelay. But in the company there is no user connected or who has logged in. That's why the request I see in the log, are only those that I have made with the administrator session from the MS AD.

Tomorrow at the start of the working day all users will come to work and will log in. In that scenario how will the logs request ???

Could I differentiate each user ?? as indicated in the manual
operator @ user .. ??

[Jahastech]

You will see your username in this form,

  tokenname _adusername

And if you create a user having the same name from your Active Directory on NxCloud GUI then you can assign a different policy on the user.

[Jose Antonio Saavedra Añez]

I must create the same AD user in GUI Nxcloud of the operator.

I understand that with the Nxcloud GUI, I control my global clients ...??

And in the GUI of nxcloud / operator I control the users for each client ..??

[Jahastech]

When you login to NxCloud as an admin, you control operators. And when you login as an operator, you control user level policies.

[Jose Antonio Saavedra Añez]

So, where I do create the users? GUI Operator or GUI Admin ???

I don´t understand

[Jose Antonio Saavedra Añez]

My idea is to sell the webfiltering service to my clients. and give them a console where they can manage their profiles or policies for each user.

But I control every client from nxcloud.

....................................?

[Jahastech]

If you don't understand that maybe NxCloud is not for you. Why did you use it if you are not a service provider? On NxCloud AD integration is for operators. They install NxRelay for their local network. So they create users on their operator GUI.

If you don't think aobut this, and you are not a service provider you have no reason for using NxCloud. NxFilter is better for you.

[Jahastech]

Create it on operator GUI. AD integration is for each operator. So you need to do it on operator GUI.

[Jose Antonio Saavedra Añez]

Thanks you for you help!

I´m service provider ;). 

Tomorrow I do verify users logon request...!

Good nigth. My friend.

[Jahastech]

A bug found with NxCloud v4.2.5 and it's patched. The bug is about operator request count not being reset on midnight and you get 'Too many requests' error on operator level as a result.