Force OSX to talk to Windows DC

achmelvic
New Contributor III

This is a bit of a strange one and might take some explaining but really hoping some one might have suggestions or ideas!

First off our setup: within our college we run a Windows domain and have a lot of OS X clients bound to it. We also have an authenticated web proxy using Bloxx, the authentication on Bloxx is done using the Active Directory, so only users who have valid AD accounts can get out through the proxy. We also use port redirection so ports 80 and 443 are blocked on the Cisco firewall and web traffic much all go out using port 3128, this information is a hosted WPAD file specified using DNS.

Up until about 18 months ago this used to cause much annoyance on the OS X clients as users would be constantly prompted for account details whenever a new service wanted to access the internet. To work around this issue Bloxx introduced an AD logger add-on, basically this sits on all our domain controllers and whenever a logon event is triggered and AD credentials passed over from a client machine it links that username to the source IP address and then passes that information to the Bloxx proxy, the theory being that then the Bloxx proxy can use IP address to know who is who rather than having to request user details itself. Overall this works ok and has been a big improvement in service for the students.

The problem with the setup is that sometimes that link between IP address and AD username gets lost, especially on OS X clients at which point the Bloxx looses context of who is using which IP address and so blocks web traffic. My assumption why we don't see as much, or at all, on the Windows clients is that they are constantly talking to their DC and so the information is being kept current on Bloxx. A slight work around we've found is to have the Microsoft Outlook client app running on OS X machines as by doing a send/receive to the Exchange server it is keeping on talking to the DC. However even this solution doesn't always work.

As there's so many systems involved here I'm not 100% sure where the problem is occurring but right now my question here is this (see got to one eventually! :-)). Is there a means of having an OS X client 'check in' as such with a DC on a regular basis? I'm thinking along the lines of a daemon which could run in the background basically just saying "Hey John Smith is logged into me at the moment" so the AD logger process on the DC will be aware of this and pass it onto Bloxx. Or even just an app which runs all the time on the client Macs and performs the same function.

I hope that all makes some sense, I'm mainly client systems and whilst have a lot of involvement this stuff is more the area of our network team who aren't the most helpful!

Especially what with Bloxx having been bought out recently and the product being ended and our Cisco ASA being past end of life hopefully in the next 12 months we'll be moving to a new solution and we can convince the network guys to go back to using ports 80/443 and a whitelist etc but for the timebeing we're stuck with the current arrangement.

0 REPLIES 0