Product: LaunchPad
Audience: ClassLink Administrator
The ClassLink Gateway 2.0 Server is required on-premises for Microsoft Active Directory integration. ClassLink leverages existing active directory security groups. Groups imported into ClassLink will grant members the ability to login with their active directory credentials. If desired, network drive mapping to Windows shares and home folders are available as well. Cloud hosting by ClassLink is not an option as it needs to interact with a local Active Directory domain.
Note: We require a new dedicated virtual machine or server. We will not install the web service on a server that is running other roles. ClassLink will provide temporary login credentials for LaunchPad to complete the server setup.
Overview
- Hardware Requirements
- Software Requirements
- Firewall Requirements
- Service Account
- Authentication Workflow
- Auto-Provisioning
Hardware Requirements
(physical or VM) minimum requirements
- CPU: At least 4vCPU Cores VM; 2.0 GHz o32-bit (x86) or 64-bit (x64)
- RAM: At least 6 GB Minimum
- HDD: At least 50 GB free space
Software Requirements
- Operating System: Windows Server 2016 or 2019; domain member server
- All latest Windows updates installed
Note: ***OPTIONAL For terminal server application provisioning. HTML5 gateway need would need to be installed on a separate Virtual Machine. The second server for the HTML5 Gateway would need to be opened up for traffic on port 443. Any further configuration of the server would be performed by ClassLink personnel during the setup call.
Firewall Requirements
If you are filtering outbound traffic from your servers please ensure the following rules are in place.
| Direction | Source | Destination | TCP Ports |
| Inside to Outside | ClassLink Gateway Server | amqps://tms-mq-prod.classlink.io | 5671 or 443 |
| Inside to Outside | ClassLink Gateway Server | https://tenant-management-service.classlink.io | 443 |
| Inside to Outside | ClassLink Gateway Server | https://dists.classlink.com | 443 |
| Inside to Outside | ClassLink Gateway Server | https://tms-files.classlink.io | 443 |
Service Account
ClassLink Gateway 2.0 Server requires an AD account to read your AD. Please create a dedicated AD service account. At a minimum, the account needs to be a domain user. However, if you want to use AD password reset in LaunchPad, the account used should have the password reset permissions to desired OUs in your AD.
Authentication Workflow
All connections are outbound from the ClassLink Gateway server. When users authenticate with Active Directory into LaunchPad, the process is the following:
- The ClassLink Gateway server makes a persistent outbound TLS/SSL connection to the RabbitMQ Server. Once the connection is established, it is used for communication in both directions.
- The user navigates to the LaunchPad website over TLS/SSL. The webiste is hosted by ClassLink.
- The user enters their credentials into LaunchPad and it is sent encrypted using TLS/SSL to LaunchPad API servers.
- The ClassLink servers in the cloud send an encrypted message through the RabbitMQ Server, to your ClassLink Gateway server.
- The LaunchPad Gateway server validates the credentials against Active Directory in real time.
- The response is sent back to the LaunchPad API servers over the same persistent connection to RabbitMQ.
- LaunchPad API server returns response to client.
Auto-Provisioning
Active Directory accounts are automatically provisioned on the first login into ClassLink provided their groups are configured with access.
The process for auto-provisioning is the following:
- A user that has not previously used LaunchPad logs in to their sites custom portal page with their existing Active Directory credentials.
- LaunchPad validates the user against Active Directory using the LaunchPad Web Service.
- If the user exists, LaunchPad will verify the group membership with groups configured within LaunchPad.
- If the user’s groups are configured in LaunchPad, their account is automatically created and they are logged in to LaunchPad.
Updated: Dec 2018