The Astaro User portal can be used to allow your Astaro clients access to functions such as Email quarantine, whitelists, and Remote access VPN setups.
In order to control access to the user portal either local or backend authentication can be configured.
This article will deal with User Portal access using Active Directory or LDAP backend authentication servers. Preparation:
*Determine from Windows Server the DN for the binding user and for the Base DN
*Add a DNS entry on your Windows Domain Server On the Astaro:
* Define the Host IP of the server offering AD and/or LDAP services *Configure User Authentication with Active Directory or LDAP *Create a new users group for automatically-created users authenticated by AD or LDAP *Configure the User Portal ----
Determine from Windows Server the DN for the binding user and for the Base DN
If you pick a user with administrative rights, you will be able to configure either or both LDAP and AD. You will need the full, exact
Distinguished Name (DN) for the Astaro to be able to work with AD or LDAP services. To determine the notation needed open a Command Prompt on the server running the AD services. In my case, I have a separate login for me when I want to be an administrator, bob2, so I ran the following command:
dsquery user –name b*
Among the responses was the one I was looking for:
Because I want to be able to use pre-existing AD groups to fine-tune the HTTP Proxy and to limit use of the Portal to select users, I’ll set the Base DN for my AD as:
Add a DNS entry on your Windows Domain Server
It is likely that you have a hostname for the IP of the External interface of the Astaro; for example, mail.ourdomain.com. There’s a way for that to point at the internal interface of the Astaro for users inside the firewall, normally including anyone who has VPN’d in via Astaro Remote Access.
This assumes that internal users are set up to check an internal DNS prior to looking for an external one on the internet. On your internal Domain Controller, make sure that in your internal DNS there is an entry in ‘Forward Lookup Zones’ in the ourdomain.com (substitute your domain name) folder that points mail (your sub domain) at the IP of the internal interface on your Astaro.
Define the Host IP of the server offering LDAP and/or AD services
It is likely that you already have created a Definition in Networks for this server. If not, go to
‘Definitions >> Networks’, and click on ‘New Network Definition’.
Name: AD Server (for example)
Type: Host Address: 10.0.0.9 (for example)
Don’t forget to hit ‘Save’.
Configure User Authentication
From ‘Users >> Authentication’, select the ‘Advanced
’ tab. Use the blue arrows to set the ‘Backend query order’ as desired and hit ‘Apply’.
Select the ‘Global Settings
’ tab, check the box for ‘Create users automatically’ and hit ‘Apply’. Make sure the ‘End-User Portal’ box is checked in Automatic user creation section, and hit ‘Apply’.
A. Configure User Authentication with Active Directory
Select the ‘Active Directory
’ tab and click on ‘Enable’.
For ‘Server’, click on the file folder and drag ‘AD Server’ into the box. It is likely that you will want to leave the ‘SSL’ box unchecked and the ‘Port’ unchanged at 389.
The ‘Bind User DN’ is the string we captured in the first step above (in our example):
*NOTE* Do NOT hit the ‘Test Server’ button yet! You must hit ‘Apply’ after you make any changes to the above and before you touch ‘Test Server’ or your changes will be lost. First, fill in the ‘Base DN’ (in our example):
Hit ‘Apply’, then ‘Test Server’.
Configure User Authentication with LDAP
Select the ‘LDAP’ tab and click on ‘Enable’. For ‘Server’, click on the file folder and drag ‘AD Server’ into the box. It is likely that you will want to leave the ‘SSL’ box unchecked and the ‘Port’ unchanged at 389. Leave the ‘User Attribute’ set on ‘CN’ (Common Name). The ‘Bind User DN’ is the string we captured in the first step above (in our example):
The ‘Base DN’ is (in our example):
Hit ‘Apply’. You should get a message that the LDAP settings were saved successfully.
Create a new users group for automatically-created users authenticated by AD or LDAP
At ‘Users >> Groups’, hit ‘New group’. Name the group “Backend users” (for example).
Select ‘Group type’ ‘Backend membership’. For the ‘Backend’, select ‘LDAP’ or ‘Active Directory’ as appropriate.
If you want to limit the mail users who can access the Astaro User Portal, check ‘Limit to backend group(s) membership’ and indicate which group(s) should have a personal whitelist and access to it.
Configure the User Portal.
From ‘Management >> User Portal’, on the ‘Global’ tab, click on the folder beside ‘Allowed networks’ then drag ‘Any’ into the box. You may want to restrict this more, but it’s likely you will have people both inside and outside your firewall who will want to access the User Portal.
Select whether you want to allow all users or only a select group or individuals, and hit ‘Apply’.
On the ‘Advanced’ tab, put mail.ourdomain.com (your subdomain.domain), leave 443 as the standard ‘HTTPS port’* and hit ‘Apply’.
Your AD/LDAP users can now use the portal at https://mail.ourdomain.com/.
*Beginning with V7, Astaro moved WebAdmin access from port 443 to 4444 because many sites DNAT https traffic to an internal server. Our standard approach has been to create an additional IP on the External interface when we wanted to do things like offering Outlook Web Access via https. If it’s impractical for you to do this, then you’ll need to change the port. Example change to 1443 and: https://mail.ourdomain.com:1443/.
Contributed Article by:
Robert Alfson - MediaSoft, Inc
Astaro Preferred Partner