Announcement

**support200** · 03-14-2022, 11:22 PM

For NxRelay, NxCloud is its policy server not an upstream DNS server. You set upstream server for each NxRelay which is a local DNS server in most cases. Even if you lose NxCloud, NxRelay will be working.

However, do you have your AD DNS in your headquarter? Do you have DCs in those 5 sites or you have your DC only in your headquarter? If you have one DC in your headquarter only, you don't lose your AD and Internet?

**richie1985** · 03-15-2022, 06:44 AM

Hi, thx for your response... yes in Headquarter is the Master AD and DNS Server... and on every site a Slave Server... So for Client DNS Settings First DNS IP Adress is the Site DNS Server and Second DNS IP the DNS Master in Headquarter... So if Headquarter is falling down, the Site can still work... And in the time when i update DNS on Site, the Master will do the Job... thats the current Situation...

And now we want to integrate nxfilter

**support200** · 03-15-2022, 06:51 AM

If your VPN is fast enough you can put slave nodes into each site. You can use public DNS servers as upstream DNS servers. NxFilter will bypass AD domains to your MS DNS server. Read this for MS DNS server and NxFilter, https://nxfilter.org/tutorial/c-acti...gration.php#ms

But I think NxCloud + NxRelay is simpler. You can run NxRelay on your DC in each site by setting up an additional IP address.

**richie1985** · 03-15-2022, 08:13 AM

i think slave in every site would be realy nice... but more than 4 slaves are not possible right now or?

nxcloud cant sync with activedirectory or?

**support200** · 03-15-2022, 08:37 AM

We have another option for allowing up to 16 slave nodes. But it's a commercial license and more expensive than Unlimited License for Jahaslist. This one is for cloud business users. So, it's for NxCloud.

Do you uses all have unique IPs when they use NxFilter? Is it VPN IPs and you use NxFilter using its VPN IP? If you have to use NxFilter's AD integration, they should have their own unique IPs.

With NxCloud + NxRelay, you still can view their AD username even if there's a router between NxCloud and NxRelay. And you can apply policies based on private IP range and AD username. If there's a user needs to be under a different policy, you can use NxProxy or create a user on NxCloud side having the same username as his AD username.

**support200** · 03-19-2022, 03:07 PM

There's something I was confused with. If you use NxRelay with NxFilter, you can have AD integration in a complete way. It's different from NxCloud. One condition is that your branch offices have to use different subnets.

Branch #1 : 192.168.0.1 ~ 192.168.0.255
Branch #2 : 192.168.1.1 ~ 192.168.1.255
Branch #3 : 192.168.2.1 ~ 192.168.2.255

You import AD users and groups into your master node which run in your headquarter and NxRelay running in each branch office. You can install NxRelay on the DC in branch office or you can use CxLogon. Guess it will be working. You also can use 802.1x for smartphones with NxRelay. This one would be better than putting a slave node into each office.

**richie1985** · 03-20-2022, 08:28 PM

of course every branch / site has it own subnet...

so i created to test a nxrelay in site a... set dns server ins site a to this relay... it seems creating sessions via CxLogon is working... but filtering not realy:

Code:

INFO [03-20 20:23:59] - NPr, Sending PING.
INFO [03-20 20:23:59] - NxTalkie.lookup, Reset connErrCnt.
INFO [03-20 20:23:59] - NPr, Ping success! IP = 192.168.62.33
INFO [03-20 20:23:59] - NPr, Ping success! IP = 192.168.62.34
INFO [03-20 20:24:01] - LoginListener._dealCxlogon, We created a login session for erik 192.168.212.196, win.
ERROR [03-20 20:24:05] - Request.handleException, Socket timeout from a policy server! - pornhub.com
INFO [03-20 20:24:05] - Request.handleException, But we still go on with an upstream server.
ERROR [03-20 20:24:07] - Request.handleException, Socket timeout from a policy server! - pornhub.com
INFO [03-20 20:24:07] - Request.handleException, But we still go on with an upstream server.
ERROR [03-20 20:24:14] - Request.handleException, Socket timeout from a policy server! - google.de
INFO [03-20 20:24:14] - Request.handleException, But we still go on with an upstream server.
ERROR [03-20 20:24:15] - Request.handleException, Socket timeout from a policy server! - google.de
INFO [03-20 20:24:15] - Request.handleException, But we still go on with an upstream server.
ERROR [03-20 20:24:16] - Request.handleException, Socket timeout from a policy server! - google.de
INFO [03-20 20:24:16] - Request.handleException, But we still go on with an upstream server.
ERROR [03-20 20:24:18] - Request.handleException, Socket timeout from a policy server! - google.de
INFO [03-20 20:24:18] - Request.handleException, But we still go on with an upstream server.
ERROR [03-20 20:24:22] - Request.handleException, Socket timeout from a policy server! - google.de
INFO [03-20 20:24:22] - Request.handleException, But we still go on with an upstream server.

port 80 is of course open on192.168.62.33 and 192.168.62.34

which token should i use?

**support200** · 03-21-2022, 12:09 AM

You have to open UDP/53, TCP/80, TCP/443. If you use HTTPS query only, you may not need UDP/53 but you also don't need to block it. We may need that port later. Try to open those ports.

**richie1985** · 03-21-2022, 06:12 AM

Sure everything is open, nothing is blocked... Ping and telnet is working... But same result

**support200** · 03-21-2022, 06:13 AM

Do these,

telnet your-server-ip 80
telnet your-server-ip 443
dig @your-server-ip block.nxfilter.org

**richie1985** · 03-21-2022, 06:53 AM

seems everything fine:

Code:

root@nxrelay:~# telnet 192.168.62.33 80
Trying 192.168.62.33...
Connected to 192.168.62.33.
Escape character is '^]'.
^X^CConnection closed by foreign host.
root@nxrelay:~# telnet 192.168.62.33 443
Trying 192.168.62.33...
Connected to 192.168.62.33.
Escape character is '^]'.
^X^CConnection closed by foreign host.
root@nxrelay:~# dig @192.168.62.33 block.nxfilter.org

; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.62.33 block.nxfilter.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61294
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 4f6f020fddd0c24a (echoed)
;; QUESTION SECTION:
;block.nxfilter.org. IN A

;; ANSWER SECTION:
block.nxfilter.org. 0 IN A 192.168.62.33

;; Query time: 72 msec
;; SERVER: 192.168.62.33#53(192.168.62.33)
;; WHEN: Mo Mär 21 06:52:48 UTC 2022
;; MSG SIZE rcvd: 75

**support200** · 03-21-2022, 06:58 AM

I guess you use DNS protocol. Try 'use_https_query = 1' then.

And enable debugging on NxRelay side. In /nxrelay/conf/log4j.properties file, change INFO to DEBUG.

**support200** · 03-21-2022, 07:07 AM

Request.handleException mostly means that your NxRelay sends DNS queries to your NxFilter but it didn't get any response. Do you see those queries from NxRelay on your server? If you see them there's something wrong after NxFilter sends its responses.

**richie1985** · 03-21-2022, 08:16 AM

i see them on server, but server says many times:

Code:

INFO [03-21 09:13:50] - RHr, Signal relay not allowed for Globlist!
INFO [03-21 09:13:50] - RHr, Signal relay not allowed for Globlist!
INFO [03-21 09:13:49] - RHr, Signal relay not allowed for Globlist!
INFO [03-21 09:13:50] - RHr, Signal relay not allowed for Globlist!
INFO [03-21 09:13:50] - RHr, Signal relay not allowed for Globlist!
INFO [03-21 09:13:51] - RHr, Signal relay not allowed for Globlist!
INFO [03-21 09:13:51] - RHr, Signal relay not allowed for Globlist!
INFO [03-21 09:13:52] - RHr, Signal relay not allowed for Globlist!

i created manual a user called "nxrelay site a" to got a token, Policie Default and assigned the IP Adress of the relay

Announcement

nxfilter and multiple sites

nxfilter and multiple sites

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment