Product: LaunchPad
Audience: ClassLink Administrator
The ClassLink Gateway 2.0 Server is required on-premises for Microsoft Active Directory integration. ClassLink leverages existing active directory security groups. Groups imported into ClassLink will grant members the ability to login with their active directory credentials. If desired, network drive mapping to Windows shares and home folders are available as well. Cloud hosting by ClassLink is not an option as it needs to interact with a local Active Directory domain.
Note: We require at least two instances of the gateway service for performance and redundancy purposes. Each instance should run on a virtual machine or server dedicated to ClassLink. The service cannot be installed on a server that is running other roles. ClassLink will provide temporary login credentials for LaunchPad to complete the server setup. Click here for the setup guide. Only the primary server requires MySQL. Additional servers do not. Logins are still available if the MySQL server is offline and others are online. Network drive mappings through My Files will not be available.
Overview
- Hardware Requirements
- Software Requirements
- Firewall Requirements
- Service Account
- Authentication Workflow
- Auto-Provisioning
Hardware Requirements
minimum requirements (at least 2 servers - virtual or physical)
- CPU: At least 4vCPU Cores VM; 2.0 GHz 32-bit (x86) or 64-bit (x64)
- RAM: At least 8 GB Minimum
- HDD: At least 60 GB free space
Software Requirements
- Operating System: Windows Server 2016 or 2019; domain member server
- All latest Windows updates installed
Note: ***OPTIONAL For terminal server application provisioning. HTML5 gateway would need to be installed on a separate Virtual Machine. The second server for the HTML5 Gateway would need to be opened up for traffic on port 443. Any further configuration of the server would be performed by ClassLink personnel during the setup call.
Firewall Requirements
If you are filtering outbound traffic from your servers please ensure the following rules are in place.
Direction | Source | Destination | TCP Ports |
Inside to Outside | ClassLink Gateway Server | amqps://tms-mq-prod.classlink.io | 5671 or 443 |
Inside to Outside | ClassLink Gateway Server | https://tenant-management-service.classlink.io | 443 |
Inside to Outside | ClassLink Gateway Server | https://dists.classlink.com | 443 |
Inside to Outside | ClassLink Gateway Server | https://tms-files.classlink.io | 443 |
Service Account
ClassLink Gateway 2.0 Server requires an AD account to read your AD. Please create a dedicated AD service account. At a minimum, the account needs to be a domain user. However, if you want to use AD password reset in LaunchPad, the account used should have the password reset permissions to desired OUs in your AD.
Authentication Workflow
All connections are outbound from the ClassLink Gateway server. When users authenticate with Active Directory into LaunchPad, the process is the following:
- The ClassLink Gateway server makes a persistent outbound TLS/SSL connection to the RabbitMQ Server. Once the connection is established, it is used for communication in both directions.
- The user navigates to the LaunchPad website over TLS/SSL. The webiste is hosted by ClassLink.
- The user enters their credentials into LaunchPad and it is sent encrypted using TLS/SSL to LaunchPad API servers.
- The ClassLink servers in the cloud send an encrypted message through the RabbitMQ Server, to your ClassLink Gateway server.
- The LaunchPad Gateway server validates the credentials against Active Directory in real time.
- The response is sent back to the LaunchPad API servers over the same persistent connection to RabbitMQ.
- LaunchPad API server returns a response to the client.
Auto-Provisioning
Active Directory accounts are automatically provisioned on the first login into ClassLink provided their groups are configured with access.
The process for auto-provisioning is the following:
- A user that has not previously used LaunchPad logs in to their sites custom portal page with their existing Active Directory credentials.
- LaunchPad validates the user against Active Directory using the LaunchPad Web Service.
- If the user exists, LaunchPad will verify the group membership with groups configured within LaunchPad.
- If the user’s groups are configured in LaunchPad, their account is automatically created and they are logged in to LaunchPad.
Updated: Dec 2018