Articles in this section

Active Directory Integration

   Product: LaunchPad   

Audience: ClassLink Administrator 

 

The LaunchPad Gateway 2.0 Server is required on-premises when it is expected that students and staff will authenticate to an in-house Active Directory environment. It is also required on-premises if it is expected that students and staff will have remote access to their files and folders that are stored on on-premises Windows file servers. Cloud hosting by ClassLink is not an option for this LaunchPad Gateway Server 2.0 as it needs to interact with a local Active Directory domain.

 

Note: We require a new dedicated virtual machine or server. We will not install the web service on a server that is running other roles. 

 

Note:  ClassLink will complete the setup via a screen-sharing session with a member of the school district. For district's with 50,000+ users, please click here.

 

 

Overview

 

 

Hardware Requirements

(physical or VM) minimum requirements

  1. CPU: At least 4vCPUs VM; 2.0 GHz o32-bit (x86) or 64-bit (x64)
  2. RAM: At least 6 GB Minimum
  3. HDD: At least 50 GB free space

 

 

Software Requirements

  1. Operating System: Windows Server 2016 or 2019; domain member server
  2. All latest Windows updates installed

 

***OPTIONAL For terminal server application provisioning. HTML5 gateway need would need to be installed on a separate Virtual Machine to function. The second server for the HTML5 Gateway would need to be opened up for traffic on port 443. Any further configuration of the server would be performed by ClassLink personnel during the setup call. 

 

Note: HTML5 Gateway is optional if you wish to deliver Windows apps remotely via terminal Servers (RDS).

 

 

DMZ Firewall (Optional)

Direction Source Destination TCP Ports
Outside to DMZ Any LaunchPad Gateway Server

443 TCP

 
DMZ to inside DMZ AD Server

TCP/UDP 389 : LDAP
TCP/UDP 53 : DNS
TCP 3268
UDP 138
TCP/UDP 445
TCP 636
TCP 3269
UDP 123
TCP & UDP 88
UDP 137

 
DMZ to inside DMZ Terminal Servers

3389 TCP

 
DMZ to File Server ClassLink Server File Server (for MyFiles) TCP 135 : MS-RPC
TCP 1025 & 1026 : AD Login
& Replication
TCP 445 : SMB, MS-DS
TCP 139 : SMB
UDP 137 & 138 : NetBIOS
UDP 88 : Kerboros v5

 

 

Authentication Workflow

When users authenticate with Active Directory into LaunchPad, the process is the following:

  1. The user navigates to the LaunchPad website over TLS/SSL.
  2. The user enters their credentials into LaunchPad and it is sent encrypted using TLS/SSL to LaunchPad API servers.
  3. LaunchPad API services forward the credentials to the LaunchPad web service hosted at the school encrypted using TLS/SSL.
  4. The LaunchPad web service will validate the user against Active Directory.
  5. The response is sent back to the LaunchPad API servers.
  6. LaunchPad API server returns response to client.

 

 

Auto-Provisioning

Active Directory accounts are automatically provisioned on the first login in LaunchPad provided their groups are configured with access.

The process for auto-provisioning is the following:

  1. A user that has not previously used LaunchPad logs in to their sites custom portal page with their existing Active Directory credentials.
  2. LaunchPad validates the user against Active Directory using the LaunchPad Web Service.
  3. If the user exists, LaunchPad will verify the group membership with groups configured within LaunchPad.
  4. If the user’s groups are configured in LaunchPad, their account is automatically created and they are logged in to LaunchPad.

 

Updated: Dec 2018

Related articles

Powered by Zendesk