Introduction



For this setup Administrator privileges are required on your Domain Controller!


Welcome and Thank you for showing interest in our AirID VIRTUAL product.


in this article we guide you, the admin, through the setup process for your AirID VIRTUAL instance,

meaning in the following steps we will be going through every single step of your AirID VIRTUAL setup.

We will start with checking for the necessary certificates to be present and make sure that your firewall and user

permissions are set up. Also we will provide you with some tips and hints on each step to make this as easy as possible for you.


During this guide we are going to reference the AirID VIRTUAL Domain Controller Server Diagnostics Tool, make sure you download it before starting with the setup.


Download the AirID VIRTUAL Domain Controller Server Diagnostics Tool here

The Domain Controller Server Diagnostics Tool doesn't require an Installation but helps with deploying the certificates on your domain controller, but more on that later on.




Create Required Certificates for Secure Organizational Setup

To securely connect AirID VIRTUAL to your Domain Controller we first need a list of certificates for specific purposes, them beeing:

  • your domain controller certificate - will be needed for the smarcard logon capabilities of Windows 10
  • your LDAPS certificate - which is needed for a secure and encrypted connection to your domain controller
  • our Issueing certificate - which you will need to trust the certificates provided by AirID VIRTUAL

In case you already have an Domain Controller certificate or an LDAPS certificate in place you can skip those but we would advise you to go through the whole article.




a) Create Domain Controller Certificate


Creating the Domain Controller certificate is the first step towards your AirID Virtual installation,

it is needed to enable your Windows Domain Controller to support the smartcard logon capabilities of Windows 10.



First you should check if your Domain Controller already has a Domain Controller certificate Installed.

You can do this by simply running our AirID VIRTUAL Domain Controller Server Diagnostics Tool on your Domain Controller.

If the Domain Controller shows a red "X" on the Domain Controller certificate tab there is no such certificate


Now onto creating your domain controller certificate


In case you skipped the step, the AirID VIRTUAL Domain Controller Server Diagnostics Tool can be found here.



So if you don't already have a domain controller certificate you can simply create one during the setup by clicking this "Create Domain Controller Certificate" button presented to you on your setup page.





As a next step fill out the presented form on screen as follows

FQDN

Fully Qualified Domain Name of your server - in case you don't know this simply type the command

  • echo %COMPUTERNAME%.%USERDNSDOMAIN%

in your cmd or powershell terminal

PasswordSet a password for this certificate, this is needed for the import on your domain controller later on

After clicking the create button the certificate will be downloaded via browser to your PC and imported on your Domain Controller using the Domain Controller Server Diagnostics Tool in the next section. 



b) Create LDAPS certificate using "Server Diagnostics Tool"

Now lets head on to the LDAPS certificate.

Enableing LDAPS not only secures the connection to your LDAP over SSL it is also recommended by Microsoft and is required in future updates of your Windows Operating System. 


Like with the Domain Controller certificate before, you can also check if a LDAPS certificate is present on your Domain Controllers system by checking the Domain Controller Server Diagnostics Tool on your Domain Controller.


If it shows up with a little green checkbox you can click "Export Certificate" and skip to the Export LDAPS Certificate part.


If the red X appears continue by clicking the Generate "New Certificate" Button




To create your self-signed LDAPS certificate, simply click the button "Generate New certificate" and fill out the form presented to you on screen and explained in the next section.

.



C - 2 characters ISO country code

This field is required and requires a 2 character country code, for example "DE", "US", "GB" or "CZ"

ST - state

This field is optional and references the state or province you're located for example "Hessen" or "North Rhine Westphalia".

We suggest leaving this field blank.

L - location

this field is optional Location would mean the exact location e.g. "Berlin" or "London" and is also not required, therefore we also suggest leaving this field blank

O - Company Name

This field is required and requires the organization e.g. company name.

OU - Organizational Unit

This field is optional and references the organizational unit such as "IT", "PM" as certificate owner.

CN - common name

This field is required and references the exact dns name of the domain controller you're installing the ldaps certificate on.

DNS2 - subject alternative name

This field is optional and can hold a secondary dns name, for example it can be an external dns entry for your LDAPS connection.


IP - IPv4 Adress of the Server

This field is required and we need the external IP address of where the AirID VIRTUAL service will connect to your external LDAPS connection leading to your Domain Controller.


For more information forward to the section <add marker> "Prepare the Firewall".


After clicking "OK" on the form you already enabled ldaps on your domain controller.

don't worry normal LDAP ports will still continue to work until manually disabled on your Domain Controller.

you need to export the public part of the certificate by clicking "export certificate" which downloads it on your Domain Controller.

You then proceed and copy it onto your PC as we need them in the next step "2 Configuring Active Directory"




Download Issuing certificate


In this step you download the AirID VIRTUAL issuing certificate.

This is required for the trust relationship between your Active Directory and the AirID VIRTUAL authentication service and will also be imported on your Domain Controller using the Domain Controller Server Diagnostics Tool.



Import Certificates on your Domain Controller using the Server Diagnostics Tool


Now that we have all certificates

  • your domain controller certificate
  • your LDAPS certificate
  • our Issueing certificate

you need to upload your certificates onto your Domain Controller using the Domain Controller Server Diagnostics Tool.



For the Domain Controller certificate click the "import" button on the "Domain Controller certificate" section and select the Domain Controller Certificate we previously created.

A prompt for the password will appear, where you enter the password you set for this certificate earlier.



After the import was successful your Tool should look like this

As for the Issuing certificate, simply repeat the import process and select the Issuing certificates you previously downloaded. In this step no password is required.


Prepare a Read-Only user in Active Directory




Now that we prepared all certificates on your Domain Controller for the AirID VIRTUAL connection, we need a read-only user in your active directory as well to securely connect to your Domain Controller.


The user is required for the AirID VIRTUAL Service to check for permitted users, phone number and email details for the invite/rollout process later on.

For this simply create a dedicated AD service-user for the AirID VIRTUAL Service in your domain forest.

The username can be freely choosen and can be changed in the AirID VIRTUAL Admin Settings anytime

once the initial setup is done.


Prepare AD Groups for Users and Admins




Along with the read-only user we just created, we need 2 AD groups to differentiate between Admins and Users inside the AirID VIRTUAL Portal.

The Groupnames for these are "AVS-Admin" and "AVS-User" and are case sensitive.

  • AVS-Admin
  • AVS-User

The group names are case sensitive






Prepare The Firewall


To recap, we got the certificates, the users and the groups ready to start you on your AirID VIRTUAL expierience.

Now we go for the routing part of this guide, for this we need to be a little bit more conceptional as there may be some minor differences in each firewall configuration scenario.

Since we can't cover a complete Routing/Firwall guide in this tutorial we break it down as basic as we can. 

In case you get lost here, we advise you to get some help from an expierienced network administrator in your organization.


So to be able to safetly and securely connect AirID VIRTUAL to your Domain Controller, we need to prepare a so called Network Adress Translation or a Port Forward (depending on the ports you're going to use).

In the described scenario below we are using a Port Forward.



This happens in 3 relatively easy steps.


  1. we need to know where the traffic will come from e.g. our IP's
  2. we need to know where the traffic will go to e.g. your IP's
  3. we need to know which port to connect to e.g. your external LDAPS port



13.69.68.64
52.157.195.82
52.236.181.25
104.40.185.11
40.118.13.254
40.68.240.155
52.142.214.122
52.166.232.66
40.115.43.232
23.97.169.51

As for the IP adresses of AirID Virtual, e.g. where the communication will come from

here is a simple list of IP adresses

Source Adress: "Our IP List"

Source Port: "Any"

Destination Adress "Your Public IP"

Destination Port "Your Definied Public LDAPS Port"

Redirect Adress "your internal Domain Controller Adress"

Redirect Port "you internal LDAPS Port usually 636"


Source Adressthis references the adress or adresses the firewall expects the traffic to originate from
Source Portbasicly the same as with the source adress this is the source port the firewall expects the traffic to originate from
Destination Adressthis adress is defined by you and/or your IT as you configure the interface where we will connect to in step 2 "Configuring Active Directory"
Destination Portthis port is also defined by you and/or your IT and can be freely choosen, we also strongly suggest not going for LDAPS std. port ranges here, meaning a port number >5000
Redirect AdressThe adress the firewall redirects the matching traffic to e.g. your domain controller
Redirect PortThe port the firewall redirect the traffic to e.g. your internal LDAPS port (usually 636)




  • No labels