Adconf

From Wiki of WFilter NG Firewall
(Difference between revisions)
Jump to: navigation, search
(对域账号配置上网策略)
 
(15 intermediate revisions by one user not shown)
Line 1: Line 1:
{{DISPLAYTITLE:AD Intergration}}
+
{{DISPLAYTITLE:AD Integration}}
==Enable AD Intergration==
+
== AD Integration ==
启用域帐户监控功能后,可以对域帐户配置上网策略,要使用此功能,必须已经存在一个AD域。
+
"AD Integration" enables you to integrate WFilter NG Firewall with microsoft active directory, so you can:
[[File:Faq_en_adconf001.png]]
+
* Detect AD username of online devices.
<br><br>
+
* Set internet access and bandwidth shaper policies based on AD users.
[[File:Faq_en_adconf002.png]]
+
* Record AD users internet activity.
  
==对域账号配置上网策略==
+
For example:
例如:网页过滤中编辑一条规则,选择应用的域账户
+
* The real-time bandwidth will show AD username:
[[File:Faq_en_adconf003.png]]
+
[[File:ros_adconf_001.png|650px]]
 +
* Choose applied-to users(AD OU & users):
 +
[[File:Faq_en_adconf003.png|600px]]
  
==同步域账号==
+
== Settings  ==
<p>域控制器发生了修改,点击“立即同步域账号”即可同步修改</p>
+
[[File:Faq_adconf005.png]]<br><br>
+
[[File:Faq_adconf002.png]]
+
  
==FAQ==
+
* Domain Controller: Domain Controller ip address(es)(comma-separated).
 +
* Port: port of your DC, 389 in default.
 +
* Domain Admin: domain admin user(The admin user shall belong to the "Domain Admins" group.)
 +
* Domain Name: domain dns name.
 +
* Domain Name(pre Win2000): domain netbios name.
 +
* DC Location: where is your DC located?
 +
* Script Key: communication key for the adclient logon/logoff script.
 +
* Advanced Settings:
 +
** Interval of polling domain controller, 10 seconds in default.
 +
** User entry timeout, user will expire upon timeout.
 +
** Sync domain users, automatically retrieve users from domain controller.
 +
** "Below OU Only": only listed OU members will be retrieved, blank retrieves all.
 +
 
 +
[[File:Faq_en_adconf001.png|900px]]
 +
 
 +
* Notice:
 +
** WFilter NG Firewall uses different machanism to retrieve logon domain users when the DC is in external or internal network.
 +
** When "automatically sync domain users" is enabled, new or deleted domain users will be synced to WFilter.
 +
** WFilter detects a domain user when it login into the active directory. So you might need to wait sometime to see logon users.
 +
** The default user entry timeout is 30 hours. If no re-logon happens in 30 hours after last time logon, this username will be timeout.
 +
** Some programs in the client device will automaticaly logon into the domain with a different AD user. In this case, you can add this user into the "Exception List".
 +
 
 +
== Logon/Logoff Script ==
 +
AD does not record logon ip address for users. So WFilter get AD users for clients in three ways:
 +
* Polling DC every 10 seconds when DC is in LAN network.
 +
* Monitoring logon packets to get usernames when DC is in WAN network.
 +
* Setup Logon/Logoff script in DC's group policy to get client usernames.
 +
Logon/Logoff script is most accurate, while polling DC can not detect logoff action of clients. So you're recommended to enable both.
 +
 
 +
=== Setup Logon/Logoff Script ===
 +
 
 +
* [[Media:adclient.zip|Download adclient.exe]], uncompress and copy adclient.exe to Script/Logon and Script/Logoff directories in your domain controller.
 +
 
 +
[[File:adclient01_00.png|600px]]
 +
 
 +
[[File:adclient01_01.png|600px]]
 +
 
 +
* Add adclient.exe to domain's logon script:
 +
 
 +
[[File:adclient01.png|600px]]
 +
 
 +
[[File:adclient02.png|600px]]
 +
 
 +
Parameters: type(login/logout), WFilter server IP, script key.
 +
 
 +
* Add adclient.exe to domain's logoff script:
 +
 
 +
[[File:adclient03.png|600px]]
 +
 
 +
== FAQ ==

Latest revision as of 15:28, 1 November 2023

Contents

[edit] 1 AD Integration

"AD Integration" enables you to integrate WFilter NG Firewall with microsoft active directory, so you can:

  • Detect AD username of online devices.
  • Set internet access and bandwidth shaper policies based on AD users.
  • Record AD users internet activity.

For example:

  • The real-time bandwidth will show AD username:

Ros adconf 001.png

  • Choose applied-to users(AD OU & users):

Faq en adconf003.png

[edit] 2 Settings

  • Domain Controller: Domain Controller ip address(es)(comma-separated).
  • Port: port of your DC, 389 in default.
  • Domain Admin: domain admin user(The admin user shall belong to the "Domain Admins" group.)
  • Domain Name: domain dns name.
  • Domain Name(pre Win2000): domain netbios name.
  • DC Location: where is your DC located?
  • Script Key: communication key for the adclient logon/logoff script.
  • Advanced Settings:
    • Interval of polling domain controller, 10 seconds in default.
    • User entry timeout, user will expire upon timeout.
    • Sync domain users, automatically retrieve users from domain controller.
    • "Below OU Only": only listed OU members will be retrieved, blank retrieves all.

Faq en adconf001.png

  • Notice:
    • WFilter NG Firewall uses different machanism to retrieve logon domain users when the DC is in external or internal network.
    • When "automatically sync domain users" is enabled, new or deleted domain users will be synced to WFilter.
    • WFilter detects a domain user when it login into the active directory. So you might need to wait sometime to see logon users.
    • The default user entry timeout is 30 hours. If no re-logon happens in 30 hours after last time logon, this username will be timeout.
    • Some programs in the client device will automaticaly logon into the domain with a different AD user. In this case, you can add this user into the "Exception List".

[edit] 3 Logon/Logoff Script

AD does not record logon ip address for users. So WFilter get AD users for clients in three ways:

  • Polling DC every 10 seconds when DC is in LAN network.
  • Monitoring logon packets to get usernames when DC is in WAN network.
  • Setup Logon/Logoff script in DC's group policy to get client usernames.

Logon/Logoff script is most accurate, while polling DC can not detect logoff action of clients. So you're recommended to enable both.

[edit] 3.1 Setup Logon/Logoff Script

  • Download adclient.exe, uncompress and copy adclient.exe to Script/Logon and Script/Logoff directories in your domain controller.

Adclient01 00.png

Adclient01 01.png

  • Add adclient.exe to domain's logon script:

Adclient01.png

Adclient02.png

Parameters: type(login/logout), WFilter server IP, script key.

  • Add adclient.exe to domain's logoff script:

Adclient03.png

[edit] 4 FAQ

Personal tools
Namespaces

Variants
Actions
Navigation
Tools