Active Directory integration
NxFilter supports Active Directory integration. We tried to make it simple and easy but some people still find it hard to follow. So we want to explain what Active Directory integration is for NxFilter and when to use it, how to implement it at a conceptual level.
What is Active Directory integration?One of the reasons why people want to integrate NxFilter into Active Directory is that they want to apply filtering policies based on Active Directory user and group. They also don't want to have their users going through any extra login step except when they login to their own PCs. So for NxFilter, 'Active Directory integration' means using the same user account from your Active Directory to differentiate users on NxFilter and having single sign-on with Active Directory.
User importationNow we know what Active Directory integration is and why we need it. But how to do that? On NxFilter, the first thing you need to do is to import the users and groups from Active Directory. You need to let NxFilter be aware of your users and groups. You can do that on 'User > Active Directory'. After you import your users and groups, your users will be able to use their Active Directory credentials on NxFilter's login page. So we already achieved Active Directory integration to a certain level.
Single sign-on with Active DirectoryYour users can use their Active Directory credentials on NxFilter's login page. However, they don't want to go through NxFilter's login page. So the next thing you need to do is to implement single sign-on. Now you need one of our agent programs working with NxFilter. We have several agents: NxLogon, VxLogon, NxMapper, CxLogon. You can use just one of them or mix and match them to complement each other.
For more information, read single sign-on or agent related parts of this tutorial.
MS DNS server and NxFilterWhen you deploy NxFilter in an Active Directory environment you might be worrying about the possibility of breaking the integrity of Active Directory since NxFilter is a DNS server and the role of a DNS server in Active Directory is very important. But we don't disable or replace the existing MS DNS server. Our approach is to work with the existing DNS server in cooperation. So you have to maintain your existing MS DNS server even though you use NxFilter as the DNS server for your network. 1. Where to install it
Some people try to install NxFilter on their domain controller. But you already have a DNS server there. It is your MS DNS server. It would be better to install it on another system to avoid of having a port collision problem.2. Dynamic host update
If you have to install it on your domain controller, watch our Youtube video tutorial for that, Install NxFilter on Windows server without having DNS port collision
An MS DNS server in Active Directory does a lot of things. It lets the hosts in Active Directory find the location of resources using SRV records. And it maintains a DNS zone for every host. It does dynamic host IP update when you change an IP address of a system. To keep all these things working, NxFilter bypasses the internal DNS queries for Active Directory domain to an MS DNS server automatically.3. Which upstream server for NxFilter
You might have a question about which DNS server you should use as an upstream server for NxFilter because you already have your MS DNS server. You can use any DNS server as an upstream DNS server for NxFilter including the MS DNS server. NxFilter still forwards your Active Directory internal DNS queries to your MS DNS server. So you can use whichever DNS server you think the best.4. Manual setup for MS DNS server
After you import Active Directory users and groups, NxFilter tries to work with your MS DNS server automatically based on your Active Directory importation setup but sometimes you want to have a different settings for your MS DNS server. Or you may want to have a redundancy for your MS DNS server. You can do those things on the edit page of your Active Directory importation setup. For having redundancy, add multiple DNS servers separated by commas.
You might need to allow 'Nonsecure Dynamic Update' on your MS DNS zone properties for NxFilter to update the IP addresses of the hosts in your MS DNS zone.