Audience: ClassLink Administrator 

The ClassLink LaunchPad server is required on-premises when it is expected that students and staff will authenticate to an in-house Active Directory environment. It is also required on-premises if it is expected that students and staff will have remote access to their files and folders that are stored on on-premises Windows file servers. Cloud hosting by ClassLink is not an option for this Gateway Server as it needs to interact with a local Active Directory domain.

Note: We require a new dedicated virtual machine or server for running the ClassLink web service. We will not install the web service on a server that is running other roles.

Note: Once the server and firewall rules are ready, ClassLink will complete the setup via a screen-sharing session with a member of the school district.

Overview

• Hardware Requirements
• Software Requirements
• Server Network(**)
• DMZ Firewall (optional)
• Authentication Workflow
• Auto-Provisioning

Hardware Requirements

(physical or VM) minimum requirements

1. CPU: At least 2vCPUs VM; 2.0 GHz o32-bit (x86) or 64-bit (x64)
2. RAM: At least 4 GB Minimum
3. HDD: At least 40 GB free space

Software Requirements

1. Operating System: Windows Server 20012/R2 or 2016; domain member server
2. Roles: Internet Information Services (IIS)
3. All latest Windows updates installed

Server Network(**)

1. Public IP Address: mapped to web server's internal IP over port 443 (https requires a valid SSL certificate- a .pfx file imported in IIS). Restrict source/inbound IPs from the following public IPs: 
   1. 34.198.15.18
   2. 34.198.138.178
   3. 34.233.147.106
   4. 50.17.27.93
   5. 54.157.222.71
   6. 96.57.176.210
      
2. External and Internal DNS Record: A DNS "A" record must be assigned to the web server on a public DNS provider (pointing to the external IP address used) and on the internal DNS (pointing to the internal IP address of web server)
3. Optional* HTML5 Gateway. Additional Public IP Address: mapped to web server's secondary internal IP over port 443 for HTML5 Gateway (iOS/Android devices)

*For terminal server application provisioning. All 2 services can function on the same server, however, authentication and HTML5 gateway need separate public IPs and separate NICs to function.

Note: Firewall rules must be created prior to setup. Note: ClassLink Server in DMZ is optional

Note: HTML5 Gateway is optional if you wish to deliver Windows apps remotely via terminal Servers (RDS).

DMZ Firewall (Optional)

Authentication Workflow

When users authenticate with Active Directory into LaunchPad, the process is the following:

1. The user navigates to the LaunchPad website over TLS/SSL.
2.  The user enters their credentials into LaunchPad and it is sent encrypted using TLS/SSL to LaunchPad API servers.
3. LaunchPad API services forward the credentials to the LaunchPad web service hosted at the school encrypted using TLS/SSL.
4. The LaunchPad web service will validate the user against Active Directory.
5.  The response is sent back to the LaunchPad API servers.
6. LaunchPad API server returns response to client.

Auto-Provisioning

Active Directory accounts are automatically provisioned on the first login in LaunchPad provided their groups are configured with access.

The process for auto-provisioning is the following:

1. A user that has not previously used LaunchPad logs in to their sites custom portal page with their existing Active Directory credentials.
2. LaunchPad validates the user against Active Directory using the LaunchPad Web Service.
3.  If the user exists, LaunchPad will verify the group membership with groups configured within LaunchPad.
4.  If the user’s groups are configured in LaunchPad, their account is automatically created and they are logged in to LaunchPad.

Updated: Dec 2018