Add Windows Remote Server, on Domain

To add a remote Windows server that is not already part of your Active Directory domain, but that you want to join your domain via the ACSC network, you must first add a domain controller to the ACSC network. See the Add Windows Local Domain Controller documentation to add a domain controller (DC).

Once a DC is serving your domain through the ACSC network, follow these steps to add a remote Windows server:

Set Up Host in Management UI

Follow the steps from the Add Test Connection documentation until you get to the Tunnel page of the Add Endpoint Wizard. On this page, do the following:

  1. Adjust the IP address ranges listed in the Except for field on left side of the page to include the networks or hosts at the remote server’s site that the server needs to access. For example, for a server running an application that needs to connect to a database at the same remote site, make sure the IP address of the database is included in the networks listed in the Except for field.

    Also, if you will need to access the server over RDP (or other remote-access system) to install the agent and join the server to your domain, also include the IP address of your administrative workstation from the perspective of the server (for example if the public IP address of the Internet access point used by your admin workstation is 198.51.100.123, add 198.51.100.123/32 to the Except for field).

  2. Adjust the IP addresses listed in the WireGuard Address fields on the right side of the page if you have selected a specific set of addresses for the server, or if you have already assigned the suggested addresses to some other computer.

  3. Click the Next button. This will take you to the Extras page of the Add Endpoint Wizard.

  4. Select Domain for the Firewall Zone dropdown.

  5. Select the Use custom DNS settings when tunnel is up option, and make sure the DNS Server list includes the ACSC IP address of all your ACSC DCs before any other DNS resolvers.

  6. Click the Next button. This will take you to the Review page of the Add Endpoint Wizard.

  7. Click the Apply button. This will add the server to the ACSC network.

  8. Click the Set Up Agent icon on the Point panel on the right side of the page. This will take you to the Set Up page for the server.

  9. Click the acsc.conf and acsc-setup.conf links. This will download the unique acsc.conf and acsc-setup.conf files for the server.

Install Agent on Host

To install the ACSC agent on the server, perform the following steps on the server as an Administrator user:

  1. Create a new C:\Program Files\Anti-Cloud\Secure Connect\agent\cnf\ directory on the server.

  2. Copy the server’s unique acsc.conf and acsc-setup.conf files you downloaded above into this directory on the server.

  3. Copy the agent’s MSI (Microsoft Installer) package to the server, and execute it.

  4. If the PowerShell execution policy on the server is Restricted, change its policy to RemoteSigned (or AllSigned):

     PS> Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

Join Server to Domain

Once the acsc0 interface is up and running, your can join the server to your domain as you normally would on the LAN, like with the Add-Computer PowerShell command:

PS> Add-Computer -DomainName mydomain.corp

Allow Network Services on Host

Once the agent has been installed and starts up, the server will have full outbound access to the organization’s ACSC network. Additionally, other devices on the organization’s ACSC network will have inbound access to the server (using the server’s ACSC IP address) according to the Windows firewall rules configured on the server for Domain (aka DomainAuthenticated) firewall profile.

To enable inbound access to other network services on the server exclusively through the ACSC network, configure Windows Defender Firewall rules on the server that allow access through the acsc0 network interface on the server.

For example, you could run the following PowerShell command on the server to allow access from the ACSC network to a web server running on TCP port 80 of the server:

PS> New-NetFirewallRule `
    -Name custom1 `
    -DisplayName "Web Server HTTP-In ACSC" `
    -Group "Custom" `
    -Enabled True `
    -Direction Inbound `
    -Action Allow `
    -Protocol TCP `
    -LocalPort 80 `
    -InterfaceAlias acsc0

Add DNS Entries Needed by Host

If the some applications on the server are configured to access network services at the remote site using DNS hostnames, you will need to make sure your DCs are able to respond to queries for those hostnames with the correct IP addresses at the remote site. For example, if the server is configured to access a database at the remote site via the database.cloud.corp hostname, and the database’s IP address at the remote site is 10.12.34.56, you might add a cloud.corp zone on your DC’s DNS servers, with a record like the following:

database 3600 IN A 10.12.34.56