Audience: ClassLink Administrator
The LaunchPad Gateway Server is required on-premises when it is expected that students and staff will authenticate to an in-house Active Directory environment. It is also required on-premises if it is expected that students and staff will have remote access to their files and folders that are stored on on-premises Windows file servers. Cloud hosting by ClassLink is not an option for this LaunchPad Gateway Server as it needs to interact with a local Active Directory domain.
- Hardware Requirements
- Software Requirements
- Server Network(**)
- DMZ Firewall (optional)
- Authentication Workflow
(physical or VM) minimum requirements
- CPU: At least 4vCPUs VM; 2.0 GHz o32-bit (x86) or 64-bit (x64)
- RAM: At least 4 GB Minimum
- HDD: At least 50 GB free space
- Operating System: Windows Server 2012/R2, 2016, or 2019; domain member server
- Roles: Internet Information Services (IIS)
- All latest Windows updates installed
- Public IP Address: mapped to the LaunchPad Gateway Server's internal IP over port 443 (https requires a valid SSL certificate- a .pfx file imported in IIS). Allow source/inbound IPs from the following public IPs:
- External and Internal DNS Record: A DNS "A" record must be assigned to the web server on a public DNS provider (pointing to the external IP address used) and on the internal DNS (pointing to the internal IP address of web server)
- Optional*** HTML5 Gateway. Additional Public IP Address: mapped to the web server's secondary internal IP over port 444 for HTML5 Gateway. If you would like to use the same server as LaunchPad, you cannot use the same port 443 - we recommend port 444.
***For terminal server application provisioning. All 2 services (for authentication and HTML5 gateway) can function on the same server, however, authentication and HTML5 gateway need separate public IPs and separate NICs to function. Traffic for NAT rule 1 is for authentication, for NAT rule 2, for the HTML5 Gateway on port 444. Additionally, you can setup a dedicated VM for the HTML5 Gateway service, this still needs an additional IP and NAT rule - port 443 can be used in this case.
DMZ Firewall (Optional)
|Outside to DMZ||Any||LaunchPad Gateway Server||
|DMZ to inside||DMZ||AD Server||
TCP/UDP 389 : LDAP
|DMZ to inside||DMZ||Terminal Servers||
|DMZ to File Server||ClassLink Server||File Server (for MyFiles)||TCP 135 : MS-RPC
TCP 1025 & 1026 : AD Login
TCP 445 : SMB, MS-DS
TCP 139 : SMB
UDP 137 & 138 : NetBIOS
UDP 88 : Kerboros v5
When users authenticate with Active Directory into LaunchPad, the process is the following:
- The user navigates to the LaunchPad website over TLS/SSL.
- The user enters their credentials into LaunchPad and it is sent encrypted using TLS/SSL to LaunchPad API servers.
- LaunchPad API services forward the credentials to the LaunchPad web service hosted at the school encrypted using TLS/SSL.
- The LaunchPad web service will validate the user against Active Directory.
- The response is sent back to the LaunchPad API servers.
- LaunchPad API server returns response to client.
Active Directory accounts are automatically provisioned on the first login in LaunchPad provided their groups are configured with access.
The process for auto-provisioning is the following:
- A user that has not previously used LaunchPad logs in to their sites custom portal page with their existing Active Directory credentials.
- LaunchPad validates the user against Active Directory using the LaunchPad Web Service.
- If the user exists, LaunchPad will verify the group membership with groups configured within LaunchPad.
- If the user’s groups are configured in LaunchPad, their account is automatically created and they are logged in to LaunchPad.
Updated: Dec 2018