Audience: ClassLink Administrator
Prepare a service account for the LaunchPad network connector. Minimum read access permissions. To use LaunchPad for AD Password Reset, set delegation of control for your service account.
Provide a new VM, install Windows Server 2012, 2016, or 2019 Standard / Standard R2 (4GB RAM, 4vCPUs, 50GB HD)
- Dedicated Server
Using a dedicated server eliminates the possibility of conflicts if using an existing server running other district services.
- For DNS, SSL Cert, Server Name, and Service Account, please use the name "clinksso".
- Make sure to mount your ISO so we are able to obtain the source files.
IIS will look for the sxs folder in the Windows ISO/Installer.
Public DNS Host A Record
The DNS used in your LaunchPad server will be for our web service. The users will NOT go to this URL or see it. It will be accessed by our system to communicate with your server. That being said, you'll need a public and internal DNS HostA record.
Public Record - clinksso.yourdomain.com points to the Public IP address of your ClassLink server.
Internal Record - same host A name points to the Internal IP address of your ClassLink server.
Firewall - create a NAT rule that points the Public IP address of your ClassLink server to Port 443, and then have it point to the Internal IP address of that server.
Firewall Rule: Public IP on Port 443 to Internal IP of New VM
On your firewall, create a NAT rule for inbound traffic to your LaunchPad Gateway VM server
LaunchPad IPs --> ###.###.#.###(your public IP) --> 443 --> ###.###.##.###(internal IP of VM)
*Use this public IP for the Host A record.
LaunchPad IPs -> servername.yourdomain.com -> 443 -> CLinkSSO
Install SSL Certificate (.pfx) in IIS
Note: Self-signed certificate will NOT work.
You would need a standard SSL certificate purchased from a cert issuer like GoDaddy or DigiCert. It does not have to be dedicated. If you already have a wildcard cert, you can use it for your LaunchPad server. If you do not have a wildcard cert, you'll need to purchase one for your server (example: servername.yourdomain.com). The cert needs to be converted to a .pfx file as the pfx file needs to be imported in IIS.
- For DNS, SSL Cert, Server Name, and Service Account, please use the name clinksso.
- The certificate needs to be in .PFX format or else IIS does not recognize it.
GoDaddy provides documentation on how to convert your cert into PFX format: Click Here
The IIS page launchpadserver.yourdomain.com should be accessible internally and externally from your network.
Prepare a service account for the LaunchPad network connector. Minimum read access permissions. Password Reset Permissions to provide AD Password Reset for end users.
We need a dedicated AD account that will be added in our software by you or someone on your team. This account will be used to read your AD. At a minimum, the account needs to be a domain user. However, if you want to use AD password reset in LaunchPad, the account used should have the password reset permissions to desired OUs in your AD.
During the deployment, we will install the LaunchPad Network Connector and the last step would be to add the service account. We do not need to know your user and password for the service account that you create, but we will ask you to enter it in for us.
Updated: Dec 2018