User Authentication Options with AD

Deployment scenarios for Faspex Server with Active Directory (AD) user authentication

Print this page

This topic describes different deployment scenarios for Aspera Faspex Server with Active Directory (AD) user authentication.

Scenario 1: Standalone Faspex Server Authentication via AD

You must first configure the standalone Faspex Server to bind to the Active Directory. To do so, please refer to the instructions in the topic Directory Service. The figure below depicts this scenario's information workflow.

Please review the following important notes for the standalone scenario:

  • It is not necessary for the Faspex Server to join the Windows domain.
  • The bind may use a read-only AD account.
  • Some organizations deploy read-only (proxy) instances of their AD in the DMZ for a higher level of security.
  • Some organization deploy dedicated security servers, such as Microsoft ISA to secure the bind from the DMZ to the secure zone.

NOTE ON TLS: As of Faspex Server version 2.0.5+, the ability to query AD services via TLS (i.e. a secure connection) is now supported. As a result, it is feasible to establish the AD bind over an unsecure network.

Scenario 2: Multiple Faspex Servers and direct vs. indirect AD Authentication queries

As of Faspex Server version 2.0.5+, a Faspex slave server has the ability to authenticate users via the Faspex master server or by direct AD queries. If the Faspex slave server is configured with the AD server location and credentials, then it will use AD to authenticate users; otherwise, if there is no AD server information configured on the Faspex slave server, then it will authenticate users via the Faspex master server. For instructions on setting up multiple servers and AD server location and credentials, please review the topics Multi-Server and Directory Service, respectively. The table below provides descriptions and information workflows for example multi-Faspex Server deployment scenarios.

IMPORTANT NOTE: In a multi-server deployment, all user management functions are performed via the Faspex master server and account information is propagated to the Faspex slave servers. Each user account is configured to be able to login (authenticate) to either the Faspex master or slave systems. This setting is called the "home server" configuration, and can be set per user or via a home server rule. Please refer to Creating a New Faspex User for more information.

Description Diagram
In this multi-server Faspex deployment, user authentication is relayed through slave and master servers to the AD. The Faspex slave server authenticates users via the Faspex master server.
In this multi-server Faspex WAN deployment, user authentication is relayed through slave and master servers to the AD. The setup is similar to the that above, where the Faspex slave server (deployed as a regional Faspex Server to serve regional users) authenticates users via the Faspex master server (at headquarters).
In this multi-server Faspex WAN deployment, multiple Faspex regional (slave) servers authenticate users via a central, master system.