Add Windows Local Domain Controller

To allow remote workstations and servers to join through ACSC the same Active Directory domain as you use on your LAN, you must add a Domain Controller (DC) from the LAN to the ACSC network. Follow the steps below:

Set Up Host in Management UI

Follow the steps from the Add Test Connection documentation until you get to the Tunnel page of the Add Endpoint Wizard. On this page, do the following:

1. Adjust the IP address ranges listed in the Except for field on left side of the page to include the DC’s LAN networks (eg “192.168.123.0/24, 192.168.234.0/24”).
2. Adjust the IP addresses listed in the WireGuard Address fields on the right side of the page if you have selected a specific set of addresses for the DC, or if you have already assigned the suggested addresses to some other computer.
3. Click the Next button. This will take you to the Extras page of the Add Endpoint Wizard.
4. Select blank for the Firewall Zone dropdown.
5. Select the No changes to DNS settings when tunnel is up option.
6. Click the Next button. This will take you to the Review page of the Add Endpoint Wizard.
7. Click the Apply button. This will add the DC to the ACSC network.
8. Click the Set Up Agent icon on the Point panel on the right side of the page. This will take you to the Set Up page for the DC.
9. Click the acsc.conf and acsc-setup.conf links. This will download the unique acsc.conf and acsc-setup.conf files for the DC.

Install Agent on Host

To install the ACSC agent on the DC, perform the following steps on the DC as an Administrator user:

1. Create a new C:\Program Files\Anti-Cloud\Secure Connect\agent\cnf\ directory on the DC.
2. Copy the DC’s unique acsc.conf and acsc-setup.conf files you downloaded above into this directory on the DC.
3. Copy the agent’s MSI (Microsoft Installer) package to the DC, and execute it.

Configure Interface on Host

Once the agent has been installed and starts up, the DC will have full outbound access to the organization’s ACSC network, and in most cases will start serving the domain through the ACSC network. Check this by running the following PowerShell command:

PS> Get-NetConnectionProfile -InterfaceAlias acsc0


Name                     : mydomain.corp
InterfaceAlias           : acsc0
InterfaceIndex           : 12
NetworkCategory          : DomainAuthenticated
DomainAuthenticationKind : Ldap
IPv4Connectivity         : Internet
IPv6Connectivity         : NoTraffic

If the NetworkCategory is not listed as DomainAuthenticated. Try disabling the acsc0 network interface, and then re-enabling it:

> netsh interface set interface acsc0 disabled
> netsh interface set interface acsc0 enabled

If this still does not trigger the DomainAuthenticated network category (aka network profile, aka firewall profile), try the following:

1. Search the Windows registry for the acsc0 interface name under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles path:

    > reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /s /v ProfileName /f acsc0
   
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{3BA24925-42E0-4035-94DD-B563DBA69EB5}
        ProfileName    REG_SZ    acsc0
   
    End of search: 1 match(es) found.
   

2. Edit the Category field of the matching registry entry to change its value to 2 (DomainAuthenticated):

    > reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{3BA24925-42E0-4035-94DD-B563DBA69EB5}" /v Category /t REG_DWORD /d 2 /f
   

3. Reboot the DC.

When the DC starts up, its ACSC network interface should now be using the DomainAuthenticated firewall profile, and other computers on the ACSC network should be able to join the domain through it.

DNS Settings

If the DC also runs a DNS server, make sure you configure its DNS settings like the following (or if the DC does not run a DNS server, make sure you add the LAN’s DNS server using the same steps as the DC, and configure the DNS server’s settings like the following):

• Enable Netmask Ordering (aka Subnet Prioritization). This ensures the DNS server will answer queries sent through the ACSC network with ACSC IP addresses instead of LAN addresses.
• Set up a Reverse Lookup Zone for your ACSC network addresses (like the 22.11.10.in-addr.arpa zone for an 10.11.22.0/24 ACSC network address).

Add DNS Entries Needed by Remote Servers

If you are going to connect remote servers (or workstations) to the domain through the ACSC network, and those servers will use private DNS hostnames to access other network services at their remote sites, you will need to make sure the DC is able to answer queries for those hostnames with the correct IP addresses for the remote sites. For example, if a remote server that you will connect is configured to access a database at a remote site via the database.cloud.corp hostname, and the database’s IP address at the remote site is 10.12.34.56, you’d need to add a cloud.corp zone on the DC’s DNS server, with a record like the following:

database 3600 IN A 10.12.34.56