Installation Requirements

From Opendium Documentation
Revision as of 17:22, 30 September 2022 by Steve (talk | contribs)
Jump to navigation Jump to search

In order for your Opendium system to integrate into your network, there some basic configuration of your existing systems needs to be carried out. The Opendium installation engineer will ensure that the necessary configuration is done at installation time, but it is documented here for your reference.

Internet connectivity

Opendium systems must be connected to an internet connection which provides a static IP address.

The Opendium system has an integrated firewall, and we do not recommend installing it behind a third party firewall since this adds unnecessary complexity. However, if it is installed behind another firewall, at least TCP ports 22 (SSH) and 80 (HTTP) must be forwarded to the Opendium system.

  • TCP port 22 is used by Opendium engineers to access your system in order to provide technical support.
  • TCP port 80 is used to automatically renew encryption certificates.

External DNS records

The following DNS records must be added to your external DNS zone:

opendium A <external IPv4 address>
opendium AAAA <external IPv6 address>

The addresses for these records are your Opendium system's external IP addresses. If your internet provider only supports the legacy IPv4 protocol, omit the AAAA record.

These records are required for:

  • Offsite backups of the system's configuration.
  • Monitoring of the system's health.
  • Access by Opendium engineers in order to provide technical support.
  • Automatic renewal of encryption certificates.

Depending on your wifi system, Opendium engineers may also recommend configuring the following DNS record:

wifi CNAME opendium

This may be required for automatic renewal of encryption certificates used by the RADIUS authentication server.

Internal DNS configuration

The following DNS records must be added to your internal DNS zone:

opendium A <internal IPv4 address>
opendium AAAA <internal IPv6 address>
proxy A <internal IPv4 address>
proxy AAAA <internal IPv6 address>
wpad A <internal IPv4 address>
wpad AAAA <internal IPv6 address>
certcheck A <internal IPv4 address>
certcheck AAAA <internal IPv6 address>

The addresses for these records are your Opendium system's primary internal IP addresses. If your network does not have IPv6, omit the AAAA records.

Although it is tempting to use CNAME records rather than A / AAAA records, this should not be done as unfortunately CNAMEs break some functionality, such as Kerberos single sign-on authentication.

If your internal DNS records are hosted by your Windows Domain Controllers, their global query block list must be disabled in order to allow the wpad record to be resolved. This must be done on all of the domain controllers, not just the primary one, using the following command:

dnscmd /config /enableglobalqueryblocklist 0

Your internal DNS servers should be configured to always forward DNS requests to the Opendium system. On Windows systems, this can be done by adding forwarders into the DNS server properties in DNS Manager. Ensure the "Use root hints if no forwarders are available" check box is '''not''' ticked. This must be done on all of your internal DNS servers.

Time synchronisation

Many services require clocks to be properly synchronised. In particular, Kerberos single sign-on authentication if very sensitive to clock drift and will not work if clocks have drifted by more than 5 minutes. The Opendium system provides an NTP service and your domain controllers should all be configured to synchronise against the Opendium's NTP service.

Trust relationship

If the Opendium system is being installed into a Windows network, it requires a trust relationship with the domain. The Opendium installation engineer will configure the trust relationship, which will require a temporary domain administrator account. Once the trust relationship has been established, the temporary administrator account can be removed.

User synchronisation

If the Opendium system is being installed into a Windows network, it must synchonise its internal user directory with Active Directory. This requires a user to be created within Active Directory for that purpose. This user should not be an administrator.

The synchronisation user's DN and password are configured on the Opendium system in the User Sync Configuration page, together with the IP address of the domain controller and the domain's base DN. By default all of the users under the base DN are synchronised, but more specific OUs can be added here to be synchronised instead.

Appropriate group mappings must also be configured in the User Sync Configuration page, to ensure that users are mapped into appropriate Opendium groups, based on their Active Directory security groups.

DHCP

The following DHCP option must be added to all DHCP scopes:

Name WPAD
Data type String
Array Unticked
Code 252
Description http://wpad.<internal domain>/wpad.dat

Replace <internal domain> with your internal domain.

This is because whilst the Opendium system can filter web traffic which is not sent via its web proxy server, there are certain capabilities that can only be provided by the proxy. It is therefore always best to use the proxy server where possible. It is possible to manually configure devices to use the proxy, but that can cause a number of problems, especially in situations where devices may be moved onto other networks, such as laptops which may be taken home. We therefore recommend using automatic configuration, which requires this DHCP option.

Group policy

Ensure that no proxy is configured through Group Policy and that clients are set to autodiscover proxy settings.

Download the certificate from the Web Proxy page and import it into the Trusted Root Certification Authorities store.

This is required to allow the Opendium system to decrypt and inspect HTTPS traffic. This certificate is unique to your Opendium system.

Proxy

We recommend using automatic proxy discovery. However, if it is necessary to manually configure the proxy, the settings used should be:

Proxy address proxy.<internal domain>
Port 3128
ArrayUse the same proxy server for all protocols Ticked

You must use the address shown above, rather than the proxy's IP address, otherwise Kerberos Single Sign-on authentication will not work.

In order for the Opendium system to be able to decrypt HTTPS traffic, devices on your network must have the appropriate certificate installed. Download the certificate from the Web Proxy page and import it into the Trusted Root Certification Authorities store. This certificate is unique to your Opendium system.

Wifi

If you have any wifi networks which use WPA2-Enterprise / 802.1x authentication, they must be added to the RADIUS Clients page and configured to send RADIUS accounting data to the Opendium system.

The Opendium system also provides a RADIUS authentication service, so it may be desirable to configure the wifi networks to use the Opendium system for authentication.