Announcement

Collapse
No announcement yet.

NxFilter solution with Active Directory integration

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    NxFilter solution with Active Directory integration

    Hello,

    I am testing the NxFilter solution with Active Directory integration.

    My NxFilter server runs on a dedicated machine. I was able to configure the synchronization of my users and groups without any problem, making sure to enter the local domain + the MS DNS in the "Active Directory" configuration under "User" + the Microsoft DNS also in UpStream on the NxFilter.

    I configured authentication without redirection to a login page. I enabled the authentication feature via radius for non-domain devices or tablets. I use a GPO with VxLogin for the workstations in the AD.

    I have set the IP of the NxFilter server as the only DNS via DHCP. Everything seems to work well with radius authentication (I can see the devices in "logging" "DNS REQUEST"). For domain computers (wired, outside of radius), I have an issue. Since authentication is done via GPO, DNS resolution is broken until the GPO executes, causing a lot of problems and slowness at login.

    Additionally, with the NSLookUp command (after GPO), I get this message:

    nslookup domaine.local
    serveur: Unknow
    Address: 172.16.255.20 (Nxfilter )
    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds
    Nom : domaine.local
    adresses ; 172.16.255.12 (MS DNS)
    172.16.255.11 (MS DNS)

    Do you have any advice to guide me, please? I have read the documentation which indicates that NxFilter manages the redirection of MS DNS if they are properly configured in NxFilter to make domain computers work.

    Did I miss something? Thank you in advance.
    Tags: active directory, authentication
  • #2
    On the edit page for your AD settings, there's MS DNS tab. There's also a brief explanation.

    NxFilter bypasses Active Directory domain to MS DNS server based on your AD importation settings. When you run your MS DNS server on a different server other than your DC, you need to bypass it manually.
    If you don't think this one is not for you then you'd need to bypass your AD domain and reverse lookup domain on 'DNS > Setup > Local DNS'.

    Comment

    • #3
      Hello,

      Thank you for your response)

      Our MS DNS servers are also domain controllers. They are "correctly" configured in the import settings

      Click image for larger version Name: 2025-03-26 10_26_08-NxFilter v4.7.1.4.png Views: 40 Size: 30.9 KB ID: 3668
      Click image for larger version Name: 2025-03-26 10_26_38-NxFilter v4.7.1.4 .png Views: 37 Size: 20.4 KB ID: 3669

      Click image for larger version Name: 2025-03-26 10_27_08-NxFilter v4.7.1.4.png Views: 37 Size: 29.8 KB ID: 3671
      Attached Files

      Comment

      • #4
        You can monitor what's going on when you send queries for your AD domain. Enable debugging: https://tutorial.nxfilter.org/i-faq.php#enable-debug

        And then run it foreground and see its output or 'tail -F /nxfilter/log/nxfilter.log'.

        You need to confirm it bypassing the queries for your AD domain properly.

        I don't think you get 'DNS request time out' when it's blocked by NxFilter for authentication. It will get NxFilter IP or Block Redirection IP for weblogin. So, there might be something else.

        And you don't need to use your MS DNS servers as your upstream server if you properly bypass your AD domain to them. And when you use Local DNS, you'd better bypass your reverse lookup domain as well. Something like '168.192.in-addr.arpa'.

        Comment

        • #5
          Hello)

          Thank you for your response, I was able to solve the login issue thanks to it, as I had limited the types of requests. This problem is now resolved. However, I still have the issue with the two 'timed out' requests. Do you have any suggestions, please?

          Click image for larger version Name: 2025-03-27 16_39_27-Window.png Views: 32 Size: 13.1 KB ID: 3674

          DEBUG [03-27 16:30:37] - RHr, RH #22, nxfilter.com.domaine.local, rqSize = 0, rDc = 1, rTtl = 0, rType = 1, cltIp = 172.16.13.10.
          DEBUG [03-27 16:30:37] - RHr, Local domain = nxfilter.com.domaine.local.
          DEBUG [03-27 16:30:37] - Sending nxfilter.com.domaine.local./A, id=14 to resolver 0 (SimpleResolver [/172.16.255.11:53]), attempt 1 of 3
          DEBUG [03-27 16:30:37] - Sending nxfilter.com.domaine.local./A, id=14 to udp/172.16.255.11:53
          INFO [03-27 16:30:37] - RequestQueue.add, Blocked request type! domain = nxfilter.com.domaine.local, type = 28, ip = 172.16.13.10.
          WARN [03-27 16:30:37] - ReducedLog > UdpServer.run, Couldn't add a request, cltIp = 172.16.13.10.
          DEBUG [03-27 16:30:39] - RHr, RH #21, nxfilter.com, rqSize = 0, rDc = 1, rTtl = 0, rType = 1, cltIp = 172.16.13.10.
          DEBUG [03-27 16:30:39] - RespCache.find, Add it into persistent cache, Response : domain = nxfilter.com, queryType = 1, ctime = 1743088387, mtime = 1743089439, isExpired = false, elapsedTime = 1052, hitCnt >
          DEBUG [03-27 16:30:39] - RespCache.find, Found a cache, Response : domain = nxfilter.com, queryType = 1, ctime = 1743088387, mtime = 1743089439, isExpired = false, elapsedTime = 1052, hitCnt = 2, negativeRc>
          DEBUG [03-27 16:30:39] - RespCache.run, Writing persistent cache, Response : domain = nxfilter.com, queryType = 1, ctime = 1743088387, mtime = 1743089439, isExpired = false, elapsedTime = 1052, hitCnt = 2, >
          INFO [03-27 16:30:39] - RequestQueue.add, Blocked request type! domain = nxfilter.com, type = 28, ip = 172.16.13.10.

          Thank you in advance

          GJ

          Comment

          • #6
            That is just a Nslookup problem. You need to add '.' at the end of the domain you are querying. Otherwise, it will add your local domain to the domain.

            Comment

            • #7
              Hello,

              All my issues seem to be resolved thanks to your advice, but I still have a problem with reverse DNS.

              I see this in my logs nxFilter(DEBUG) whenever I attempt a reverse lookup with nslookup (e.g. 172.16.255.20): "RHr, Drop PTR query for private IP, 20.255.16.172.in-addr.arpa."

              If I use the domain controller's DNS directly, I have no problem. The reverse DNS is correctly configured on the Microsoft DNS server.

              Do you have any suggestions, please?

              Thank you in advance

              GJ

              Comment

              • #8
                Did you check 'Drop Reverse Lookup for Private IP' on 'DNS > Server Protection'?

                Comment

                • #9
                  That's exactly it, I'm an idiot. Sorry for the inconvenience.

                  All issues are resolved.

                  Thank you for your promptness and help))

                  Comment

                  Previous template Next
                  Working...
                  X