Audience: ClassLink Administrator
The ClassLink LaunchPad server is required on-premises when it is expected that students and staff will authenticate to an in-house Active Directory environment. It is also required on-premises if it is expected that students and staff will have remote access to their files and folders that are stored on on-premises Windows file servers. Cloud hosting by ClassLink is not an option for this Gateway Server as it needs to interact with a local Active Directory domain.
- Hardware Requirements
- Software Requirements
- Server Network(**)
- DMZ Firewall (optional)
- Authentication Workflow
(physical or VM) minimum requirements
- CPU: At least 2vCPUs VM; 2.0 GHz o32-bit (x86) or 64-bit (x64)
- RAM: At least 4 GB Minimum
- HDD: At least 40 GB free space
- Operating System: Windows Server 20012/R2 or 2016; domain member server
- Roles: Internet Information Services (IIS)
- All latest Windows updates installed
- Public IP Address: mapped to web server's internal IP over port 443 (https requires a valid SSL certificate- a .pfx file imported in IIS). Restrict source/inbound IPs from the following public IPs:
- External and Internal DNS Record: A DNS "A" record must be assigned to the web server on a public DNS provider (pointing to the external IP address used) and on the internal DNS (pointing to the internal IP address of web server)
- Optional* HTML5 Gateway. Additional Public IP Address: mapped to web server's secondary internal IP over port 443 for HTML5 Gateway (iOS/Android devices)
*For terminal server application provisioning. All 2 services can function on the same server, however, authentication and HTML5 gateway need separate public IPs and separate NICs to function.
DMZ Firewall (Optional)
|Outside to DMZ||Any||ClassLink Server||
|DMZ to inside||DMZ||AD Server||
TCP/UDP 389 : LDAP
|DMZ to inside||DMZ||Terminal Servers||
|DMZ to File Server||ClassLink Server||File Server (for MyFiles)||TCP 135 : MS-RPC
TCP 1025 & 1026 : AD Login
TCP 445 : SMB, MS-DS
TCP 139 : SMB
UDP 137 & 138 : NetBIOS
UDP 88 : Kerboros v5
When users authenticate with Active Directory into LaunchPad, the process is the following:
- The user navigates to the LaunchPad website over TLS/SSL.
- The user enters their credentials into LaunchPad and it is sent encrypted using TLS/SSL to LaunchPad API servers.
- LaunchPad API services forward the credentials to the LaunchPad web service hosted at the school encrypted using TLS/SSL.
- The LaunchPad web service will validate the user against Active Directory.
- The response is sent back to the LaunchPad API servers.
- LaunchPad API server returns response to client.
Active Directory accounts are automatically provisioned on the first login in LaunchPad provided their groups are configured with access.
The process for auto-provisioning is the following:
- A user that has not previously used LaunchPad logs in to their sites custom portal page with their existing Active Directory credentials.
- LaunchPad validates the user against Active Directory using the LaunchPad Web Service.
- If the user exists, LaunchPad will verify the group membership with groups configured within LaunchPad.
- If the user’s groups are configured in LaunchPad, their account is automatically created and they are logged in to LaunchPad.
Updated: Dec 2018