How to Install and Configure PGConnect

Owned by Christopher R. Perry
Last updated: Mar 19, 2024
7 min read

Problem

You need to connect your local LDAP environment to PG IDaaS in order to enable authentication with local accounts.

Solution

Review the requirements below and follow the provided steps to complete the initial PGConnect installation.

Quick Navigation

 

Requirements

  1. You must know your current PG IDaaS Version.

    1. This can be viewed via the System Info screen in the PG IDaaS Admin Panel.

      1. If you do not have access to the PG IDaaS Admin Panel or otherwise do not know your PG IDaaS version, contact technical support before proceeding with the installation.

        1. KB: Submitting a Technical Support Ticket

  2. PGConnect must be installed on a local server that meets the following requirements:

    1. Windows Server 2012 R2 or later (for servers)

    2. Windows 10 or later (for workstations)

    3. .NET Framework 4.6 or later installed

    4. 4 GB of memory

    5. 10 MB of free disk space

    6. Direct network connectivity to one or more Domain Controllers over port 636/tcp

  3. The PGConnect Server must be able to communicate outbound over port 443 to the Internet.

  4. A service account must be created for use with PGConnect, per the PGConnect Technical Documentation:

    1. Documentation: https://bio-key.sharefile.com/share/view/sa69d191710c9431

  5. RabbitMQ certificates and associated passwords must be collected.

    1. Accessed via the PG IDaaS Admin Panel or PortalGuard Technical Support.

      1. KB: Accessing the PG IDaaS Admin Panel

      2. KB: Accessing the RabbitMQ Certs and Passwords for PG Connect

    2. If you do not have access to the Admin Panel, please submit a Technical Support ticket to receive the certificates and passwords prior to the installation:

      1. KB: Submitting a Technical Support Ticket

Installation Steps

 

IMPORTANT NOTE: The version of PGConnect MUST match the version of PG IDaaS utilized by your implementation. If an incorrect version of the PGConnect software is installed, synchronization issues may occur that require a full reinstall later.

  1. Download the proper version of PGConnect to the target server:

    1. Link: https://bio-key.atlassian.net/servicedesk/customer/portal/1/article/588447747

  2. Ensure the zip is not ‘blocked’ and unzip.

    1. Right-click the file and select ‘Properties’.

    2. On the General tab, if you see a checkbox or button labeled ‘Unblock’ select/click it.

    3. Click ‘Ok’ to close out of the Properties window.

  3. Copy the RMQ Certificates and Passwords to the PGConnect Server.

  4. Launch the ‘PGConnect_vX.X.X.X.msi’ executable and follow the on-screen prompts, accepting the Terms of Use.

  5. Move the RMQ Certificates to the following Location on the server:

    1. C:\Program Files\PistolStar\PGConnect\_Certs

  6. After the installation completes, launch the PGConnect Editor from the Desktop.

  7. Navigate to the Rabbit MQ section and configure as follows:

    1. Basic

      1. Screenshot for Reference:

      2. Server Name:

        1. Replace the ‘CUSTOMER’ placeholder with your PG IDaaS instance name.

        2. E.g. dirsync-acme.onbio-key.com

      3. Username:

        1. No Change.

      4. Password:

        1. Obtained either from the Admin Panel or the PortalGuard Technical Support Engineer. This is the ‘RMQ Password’.

    2. Advanced

      1. No Changes

    3. SSL

      1. Screenshot for Reference:

      2. SSL Enabled:

        1. Yes

      3. RMQ Server CN:

        1. Replace the ‘CUSTOMER’ placeholder with your PG IDaaS instance name.

        2. E.g. dirsync-acme.onbio-key.com

      4. PFX Path:

        1. Browse to the location created during step #4 above (C:\Program Files\PistolStar\PGConnect\_Certs) and select the .PFX file.

      5. PFX Password:

        1. Obtained either from the Admin Panel or the PortalGuard Technical Support Engineer. This is the ‘RMQ Certificate Password’.

      6. Root CA Path:

        1. Browse to the location created during step #4 above (C:\Program Files\PistolStar\PGConnect\_Certs) and select the ‘rootCA.crt’ file.

  8. Click on the ‘Test RMQ Connection’ button and verify a successful result.

    1. Screenshot for reference:

    2. IMPORTANT NOTE: The PGConnect software cannot function without a successful RMQ Connection test here. This successful test establishes a secure TLS tunnel between the PGConnect server and the PG IDaaS environment that is used for all communications.

    3. If any errors are present, please submit a technical support ticket to resolve the issue straight away.

      1. KB: Submitting a Technical Support Ticket

  9. Navigate to the Directories section and configure as follows:

    1. Click on the ‘New’ button to configure a new Directory connection.

    2. When prompted for a ‘Domain Key’ enter a unique identifier for this connection.

      1. This is an internal only label that will not be seen by users.

      2. This label is used purely to identify the users and their ‘source’ directory within the backend.

    3. Ensure the ‘Directory’ dropdown has your new connection selected.

    4. Check the box labeled ‘Is Default?’.

    5. Within the ‘Directory’ dropdown, select the ‘Default-Domain’ entry.

    6. Click on the ‘Delete’ button to clear that configuration from the list.

      1. This will ensure that you have only relevant configurations within your PGConnect environment.

    7. Configure the settings to connect to your directory via LDAPS:

      1. Screenshot for reference:

    8. Typical Configurations require the following changes:

      1. Sever Name:

        1. The LDAPS-enabled Host Name to establish the connection via 636.

      2. Username:

        1. PGConnect Service Account Username

      3. Password:

        1. Password for the PGConnect Service Account.

      4. LDAP Type:

        1. Active Directory or Open LDAP

      5. Base DN:

        1. Scope for PG IDaaS and PGConnect read/write actions.

      6. Search Filter:

        1. LDAP Search filter defining which LDAP Attribute can be used to authenticate via PG IDaaS.

          1. Must utilize a ‘unique’ value.

  10. Click on the ‘Test’ button to validate the LDAP connection information.

    1. IMPORTANT NOTE: If an LDAP Connection cannot be established, much of the remaining configuration will fail AND PG Connect will not be able to function.

  11. Navigate to the Synchronization section and configure as follows:

    1. Account Status Settings

      1. Synchronize Account Status Changes?

        1. Check the box.

          1. This setting enables the synchronization of the ‘Disabled’ status. If you mark an account as ‘Disabled’ in AD, this setting allows PGConnect to synchronize the status to the PG IDaaS record as well.

      2. Run Interval

        1. Set to however frequently (in minutes) you’d like to check for and synchronize ‘Disabled’ accounts.

    2. Group Settings

      1. Run Interval

        1. Set to however frequently (in minutes) you’d like to check for and synchronize Group Membership for whitelisted or ‘Monitored’ groups.

          1. IMPORTANT NOTE: This requires the configuration of the Monitored Groups tab. If the Monitored Groups tab is configured but the ‘Run Interval’ setting here is set to 0, no synchronization will occur.

    3. Monitored Groups

      1. IMPORTANT NOTE: PG IDaaS does not have an active connection to your local directory. As such, PG IDaaS has no native knowledge of a user’s group membership. To track membership for use with various ACL’s throughout PortalGuard, you must first whitelist the group here.

        1. If a target group is a nested/child group, both levels of the group must be added to the whitelist.

      2. To whitelist a group, simply search for all or part of the Group Name and then select the proper group from the list. Either double-click the proper group or select and click the ‘Add’ button to whitelist.

    4. Attribute Sync

      1. Interval:

        1. Set to however frequently you want to monitor for and synchronize changes to common LDAP attributes. This cannot be set lower than 15 minutes.

          1. IMPORTANT NOTE: Attribute Sync allows PG IDaaS to remain in sync in the event a user’s attributes change. Common examples include name changes or organization shifts that result in the user moving to a different LDAP OU.

      2. Scheduled Sync?

        1. Check this box.

  12. Still within the Synchronization Attribute Sync tab, click on the ‘Configure Scope’ button.

  13. Within the new window, configure the settings per tab as follows:

    1. Synchronization:

      1. Click the ‘Add Defaults’ button.

        1. This will add four distinct permissions to track expiration-related settings (including the ‘User must change password at next login’ flag).

      2. Use the ‘Attribute to Add’ input to add any specific LDAP attributes that should remain in sync.

        1. These attributes are typically those used for Single Sign-On.

        2. IMPORTANT NOTE: Hover over the blue label for ‘List of Standard Attributes’ to see the base Attribute Set for PG IDaaS. These attributes do not need to be added here, as they are kept in synch implicitly so long as Attribute Sync is enabled.

    2. Scoping:

      1. Use the ‘OU to Sync’ input to select the various OUs covering the users that should be kept in sync between local LDAP and PG IDaaS.

      2. Select the OU from the ‘Matching OUs’ list and click the ‘Add’ button to synchronize.

        1. This may result in a slight delay as PGConnect queries the OU for a use count and updates the displayed ‘Total Users’.

  14. Click on the ‘Save’ button when finished configuring the Attribute Sync feature.

  15. Navigate to the Domain Controllers section.

    1. Make note of the ‘Machine Name’ and verify that is the FQDN for the PGConnect machine.

      1. IMPORTANT NOTE: This FQDN must be resolvable from each Domain Controller within your environment.

    2. Make note of the custom Port (8734).

      1. IMPORTANT NOTE: This is the port that will be used for the secure communication from your Domain Controllers to the PGConnect machine.

    3. Click the ‘One-Time Setup’ button and then click ‘OK’ to verify success:

  16. Click on the ‘Apply and Update’ button in the bottom left-hand corner.

    1. This will initiate a ‘save’ for you. Once you click ‘ok’, the application will hang while the services restart. This is expected and the application will close automatically once those services restart.

  17. Test an authentication to your PG IDaaS instance using your local LDAP Credentials.

    1. The first login will always present a ‘Checking Progress’ notification for a brief moment as it completes the round trip between PGConnect and PG IDaaS. If the login is successful, all subsequent authentications will be completed against the PG IDaaS database and that notification will not appear.