Articles in this section

Active Directory Integration

   Product: LaunchPad   

Audience: ClassLink Administrator 

 

The LaunchPad Gateway Server is required on-premises when it is expected that students and staff will authenticate to an in-house Active Directory environment. It is also required on-premises if it is expected that students and staff will have remote access to their files and folders that are stored on on-premises Windows file servers. Cloud hosting by ClassLink is not an option for this LaunchPad Gateway Server as it needs to interact with a local Active Directory domain.

 

Note: We require a new dedicated virtual machine or server. We will not install the web service on a server that is running other roles. 

 

Note: Once the server and firewall rules are ready, ClassLink will complete the setup via a screen-sharing session with a member of the school district. For district's with 50,000+ users, please click here.

 

 

Overview

 

 

Hardware Requirements

(physical or VM) minimum requirements

  1. CPU: At least 4vCPUs VM; 2.0 GHz o32-bit (x86) or 64-bit (x64)
  2. RAM: At least 4 GB Minimum
  3. HDD: At least 50 GB free space

 

 

Software Requirements

  1. Operating System: Windows Server 2012/R2, 2016, or 2019; domain member server
  2. Roles: Internet Information Services (IIS)
  3. All latest Windows updates installed

 

 

Server Network(*)

  1. Public IP Address: mapped to the LaunchPad Gateway Server's internal IP over port 443 (https requires a valid SSL certificate- a .pfx file imported in IIS). Allow source/inbound IPs from the following public IPs: 
    1. 34.198.15.18
    2. 34.198.138.178
    3. 34.233.147.106
    4. 50.17.27.93
    5. 54.157.222.71
    6. 96.57.176.210
  2. External and Internal DNS Record: A DNS "A" record must be assigned to the web server on a public DNS provider (pointing to the external IP address used) and on the internal DNS (pointing to the internal IP address of web server)
  3. Optional*** HTML5 Gateway. Additional Public IP Address: mapped to the web server's secondary internal IP over port 444 for HTML5 Gateway. If you would like to use the same server as LaunchPad, you cannot use the same port 443 - we recommend port 444.   

***For terminal server application provisioning. All 2 services (for authentication and HTML5 gateway) can function on the same server, however, authentication and HTML5 gateway need separate public IPs and separate NICs to function. Traffic for NAT rule 1 is for authentication, for NAT rule 2, for the HTML5 Gateway on port 444. Additionally, you can setup a dedicated VM for the HTML5 Gateway service, this still needs an additional IP and NAT rule - port 443 can be used in this case.

 

Note: Firewall rules must be created prior to setup. Note: LaunchPad Gateway Server in DMZ is optional

 

diagram1.png

 

Note: HTML5 Gateway is optional if you wish to deliver Windows apps remotely via terminal Servers (RDS).

 

 

DMZ Firewall (Optional)

Direction Source Destination TCP Ports
Outside to DMZ Any LaunchPad Gateway Server

443 TCP

 
DMZ to inside DMZ AD Server

TCP/UDP 389 : LDAP
TCP/UDP 53 : DNS
TCP 3268
UDP 138
TCP/UDP 445
TCP 636
TCP 3269
UDP 123
TCP & UDP 88
UDP 137

 
DMZ to inside DMZ Terminal Servers

3389 TCP

 
DMZ to File Server ClassLink Server File Server (for MyFiles) TCP 135 : MS-RPC
TCP 1025 & 1026 : AD Login
& Replication
TCP 445 : SMB, MS-DS
TCP 139 : SMB
UDP 137 & 138 : NetBIOS
UDP 88 : Kerboros v5

 

 

Authentication Workflow

When users authenticate with Active Directory into LaunchPad, the process is the following:

  1. The user navigates to the LaunchPad website over TLS/SSL.
  2. The user enters their credentials into LaunchPad and it is sent encrypted using TLS/SSL to LaunchPad API servers.
  3. LaunchPad API services forward the credentials to the LaunchPad web service hosted at the school encrypted using TLS/SSL.
  4. The LaunchPad web service will validate the user against Active Directory.
  5. The response is sent back to the LaunchPad API servers.
  6. LaunchPad API server returns response to client.

 

 

Auto-Provisioning

Active Directory accounts are automatically provisioned on the first login in LaunchPad provided their groups are configured with access.

The process for auto-provisioning is the following:

  1. A user that has not previously used LaunchPad logs in to their sites custom portal page with their existing Active Directory credentials.
  2. LaunchPad validates the user against Active Directory using the LaunchPad Web Service.
  3. If the user exists, LaunchPad will verify the group membership with groups configured within LaunchPad.
  4. If the user’s groups are configured in LaunchPad, their account is automatically created and they are logged in to LaunchPad.

 

 

 

Updated: Dec 2018

Related articles

Powered by Zendesk