This page will assist you with fulfilling the requirements for integrating your network with ClassLink on Windows Server (versions 2008 through 2016) for Microsoft Active Directory. Integrating your network will allow you to utilize your existing user credentials and even access your home folders and network shares from My Files.
We require a new dedicated virtual machine or server for running the ClassLink web service. We will not install the web service on a server that is running other roles.
Once the server and firewall rules are ready, ClassLink will complete the setup via a screen-sharing session with a member of the school district.
Hardware Requirements
(physical or VM) minimum requirements
- CPU: At least 2vCPUs VM; 2.0 GHz o32-bit (x86) or 64-bit (x64)
- RAM: At least 4 GB Minimum
- HDD: At least 40 GB free space
Software Requirements
- Operating System: Windows Server 20012/R2 or 2016; domain member server
- Roles: Internet Information Services (IIS)
- All latest Windows updates installed
Server Network(**)
- Public IP Address: mapped to web server's internal IP over port 443 (https requires a valid SSL certificate- a .pfx file imported in IIS). Restrict source/inbound IPs from the following public IPs:
- 34.198.15.18
- 34.198.138.178
- 34.233.147.106
- 50.17.27.93
- 54.157.222.71
- 96.57.176.210
- External and Internal DNS Record: A DNS "A" record must be assigned to the web server on a public DNS provider (pointing to external IP address used) and on the internal DNS (pointing to internal IP address of web server)
- Optional* HTML5 Gateway. Additional Public IP Address: mapped to web server's secondary internal IP over port 443 for HTML5 Gateway (iOS/Android devices)
*For terminal server application provisioning. All 2 services can function on the same server, however, authentication and html5 gateway need separate public IPs and separate NICs to function.
**Firewall rules must be set to accept traffic from all sources
Firewall rules must be created prior to setup. Note: ClassLink server in DMZ is optional
HTML5 gateway is optional if you wish to deliver Windows apps remotely via Terminal Servers (RDS).
DMZ Firewall (optional)
| Direction | Source | Destination | TCP Ports |
| Outside to DMZ | Any | ClassLink Server |
443 TCP
|
| DMZ to inside | DMZ to File Server | AD Server |
TCP/UDP 389 : LDAP
|
| DMZ to inside | DMZ to File Server | Terminal Servers |
3389 TCP
|
| DMZ to File Server | ClassLink Server | File Server (for MyFiles) | TCP 135 : MS-RPC TCP 1025 & 1026 : AD Login & Replication TCP 445 : SMB, MS-DS TCP 139 : SMB UDP 137 & 138 : NetBIOS UDP 88 : Kerboros v5 |
Authentication Workflow
When users authenticate with Active Directory into OneClick, the process is the following:
- User navigates to the OneClick website over TLS/SSL.
- The user enters their credentials into OneClick and it is sent encrypted using TLS/SSL to OneClick API servers.
- OneClick API services forward the credentials to the OneClick web service hosted at the school encrypted using TLS/SSL.
- The OneClick web service will validate the user against Active Directory.
- Response is sent back to the OneClick API servers.
- OneClick API server returns response to client.
Auto-Provisioning
Active Directory accounts are automatically provisioned on first login in OneClick provided their groups are configured with access.
The process for auto-provisioning is the following:
- A user that has not previously used OneClick logs in to their sites custom portal page with their existing Active Directory credentials.
- OneClick validates the user against Active Directory using the OneClick Web Service.
- If the user exists, OneClick will verify the group membership with groups configured within OneClick.
- If the user’s groups are configured in OneClick, their account is automatically created and they are logged in to OneClick.