Adconf
From Wiki of WFilter NG Firewall
(Difference between revisions)
(→对域账号配置上网策略) |
|||
| (15 intermediate revisions by one user not shown) | |||
| Line 1: | Line 1: | ||
| − | {{DISPLAYTITLE:AD | + | {{DISPLAYTITLE:AD Integration}} |
| − | == | + | == AD Integration == |
| − | + | "AD Integration" enables you to integrate WFilter NG Firewall with microsoft active directory, so you can: | |
| − | + | * Detect AD username of online devices. | |
| − | + | * Set internet access and bandwidth shaper policies based on AD users. | |
| − | + | * Record AD users internet activity. | |
| − | + | For example: | |
| − | + | * The real-time bandwidth will show AD username: | |
| − | [[File:Faq_en_adconf003.png]] | + | [[File:ros_adconf_001.png|650px]] |
| + | * Choose applied-to users(AD OU & users): | ||
| + | [[File:Faq_en_adconf003.png|600px]] | ||
| − | == | + | == Settings == |
| − | + | ||
| − | + | ||
| − | + | ||
| − | ==FAQ== | + | * Domain Controller: Domain Controller ip address(es)(comma-separated). |
| + | * Port: port of your DC, 389 in default. | ||
| + | * Domain Admin: domain admin user(The admin user shall belong to the "Domain Admins" group.) | ||
| + | * Domain Name: domain dns name. | ||
| + | * Domain Name(pre Win2000): domain netbios name. | ||
| + | * DC Location: where is your DC located? | ||
| + | * Script Key: communication key for the adclient logon/logoff script. | ||
| + | * Advanced Settings: | ||
| + | ** Interval of polling domain controller, 10 seconds in default. | ||
| + | ** User entry timeout, user will expire upon timeout. | ||
| + | ** Sync domain users, automatically retrieve users from domain controller. | ||
| + | ** "Below OU Only": only listed OU members will be retrieved, blank retrieves all. | ||
| + | |||
| + | [[File:Faq_en_adconf001.png|900px]] | ||
| + | |||
| + | * Notice: | ||
| + | ** WFilter NG Firewall uses different machanism to retrieve logon domain users when the DC is in external or internal network. | ||
| + | ** When "automatically sync domain users" is enabled, new or deleted domain users will be synced to WFilter. | ||
| + | ** WFilter detects a domain user when it login into the active directory. So you might need to wait sometime to see logon users. | ||
| + | ** The default user entry timeout is 30 hours. If no re-logon happens in 30 hours after last time logon, this username will be timeout. | ||
| + | ** Some programs in the client device will automaticaly logon into the domain with a different AD user. In this case, you can add this user into the "Exception List". | ||
| + | |||
| + | == Logon/Logoff Script == | ||
| + | AD does not record logon ip address for users. So WFilter get AD users for clients in three ways: | ||
| + | * Polling DC every 10 seconds when DC is in LAN network. | ||
| + | * Monitoring logon packets to get usernames when DC is in WAN network. | ||
| + | * Setup Logon/Logoff script in DC's group policy to get client usernames. | ||
| + | Logon/Logoff script is most accurate, while polling DC can not detect logoff action of clients. So you're recommended to enable both. | ||
| + | |||
| + | === Setup Logon/Logoff Script === | ||
| + | |||
| + | * [[Media:adclient.zip|Download adclient.exe]], uncompress and copy adclient.exe to Script/Logon and Script/Logoff directories in your domain controller. | ||
| + | |||
| + | [[File:adclient01_00.png|600px]] | ||
| + | |||
| + | [[File:adclient01_01.png|600px]] | ||
| + | |||
| + | * Add adclient.exe to domain's logon script: | ||
| + | |||
| + | [[File:adclient01.png|600px]] | ||
| + | |||
| + | [[File:adclient02.png|600px]] | ||
| + | |||
| + | Parameters: type(login/logout), WFilter server IP, script key. | ||
| + | |||
| + | * Add adclient.exe to domain's logoff script: | ||
| + | |||
| + | [[File:adclient03.png|600px]] | ||
| + | |||
| + | == FAQ == | ||
Latest revision as of 15:28, 1 November 2023
Contents |
[edit] 1 AD Integration
"AD Integration" enables you to integrate WFilter NG Firewall with microsoft active directory, so you can:
- Detect AD username of online devices.
- Set internet access and bandwidth shaper policies based on AD users.
- Record AD users internet activity.
For example:
- The real-time bandwidth will show AD username:
- Choose applied-to users(AD OU & users):
[edit] 2 Settings
- Domain Controller: Domain Controller ip address(es)(comma-separated).
- Port: port of your DC, 389 in default.
- Domain Admin: domain admin user(The admin user shall belong to the "Domain Admins" group.)
- Domain Name: domain dns name.
- Domain Name(pre Win2000): domain netbios name.
- DC Location: where is your DC located?
- Script Key: communication key for the adclient logon/logoff script.
- Advanced Settings:
- Interval of polling domain controller, 10 seconds in default.
- User entry timeout, user will expire upon timeout.
- Sync domain users, automatically retrieve users from domain controller.
- "Below OU Only": only listed OU members will be retrieved, blank retrieves all.
- Notice:
- WFilter NG Firewall uses different machanism to retrieve logon domain users when the DC is in external or internal network.
- When "automatically sync domain users" is enabled, new or deleted domain users will be synced to WFilter.
- WFilter detects a domain user when it login into the active directory. So you might need to wait sometime to see logon users.
- The default user entry timeout is 30 hours. If no re-logon happens in 30 hours after last time logon, this username will be timeout.
- Some programs in the client device will automaticaly logon into the domain with a different AD user. In this case, you can add this user into the "Exception List".
[edit] 3 Logon/Logoff Script
AD does not record logon ip address for users. So WFilter get AD users for clients in three ways:
- Polling DC every 10 seconds when DC is in LAN network.
- Monitoring logon packets to get usernames when DC is in WAN network.
- Setup Logon/Logoff script in DC's group policy to get client usernames.
Logon/Logoff script is most accurate, while polling DC can not detect logoff action of clients. So you're recommended to enable both.
[edit] 3.1 Setup Logon/Logoff Script
- Download adclient.exe, uncompress and copy adclient.exe to Script/Logon and Script/Logoff directories in your domain controller.
- Add adclient.exe to domain's logon script:
Parameters: type(login/logout), WFilter server IP, script key.
- Add adclient.exe to domain's logoff script:
