FAQ - CLICK Deployment

This document contains frequently asked questions related to the deployment of CLICK.

Sections

General

Q: What is a CLICK Instance?

A CLICK Tenant Instance, or CLICK Instance, is a single deployment of CLICK. Customers can have one CLICK Instance or multiple. One great use case for having multiple CLICK Instances is to use one as a staging area for testing advanced configurations or new features.

AWS Account Configuration

Subnets

Q: What are the connectivity requirements for the subnet used by the CLICK AD Gateway?

The subnet you choose for the CLICK AD Gateway to use must satisfy these requirements:

  1. Have a route to your Active Directory Domain Controller - Every subnet is associated with a route table which controls IP ranges that can be reached by network interfaces on the subnet. The CLICK AD Gateway must be deployed on a subnet that has a route to your Active Directory Domain Controller in order for it the two to communicate.
  2. Have a route to the Internet - The CLICK AD Gateway securely sends information back to CLICK to enable CLICK to provision and maintain resources for your users. This is not possible without internet connectivity.
  3. Allow outbound Internet traffic on port 443 - The CLICK AD Gateway uses port 443 when communicating with CLICK, so any Network ACLs in place on the subnet you choose must allow outbound traffic on this port.

Security Groups

Q: Is this the same thing as an Active Directory Security Group?

No. In AWS, a security group is a networking concept. Security Groups are used by virtual network interfaces like a virtual firewall to control inbound and outbound traffic. While preparing to deploy the CLICK AD Gateway, it's important to select or create an appropriate security group to allow the AD Gateway Lambda function to have the correct network access.

Q: What network access must be granted by the security group used by the CLICK AD Gateway?

Since security groups are like virtual firewalls, it's important to ensure that traffic is allowed on the correct ports. The security group used by the AD Gateway requires the following in terms of connectivity:

  1. Allow outbound requests on your LDAP port - The AD Gateway Lambda function initiates requests to your Active Directory Domain Controller. That means it must be able to make outgoing requests on that port. Standard LDAP deployments use port 389, or port 636 for secure LDAP.
  2. Allow outbound requests on port 443 - The CLICK AD Gateway securely sends information back to CLICK on port 443, so outbound traffic must be allowed on this port.

Active Directory Configuration

There are no frequently asked questions in this section yet.

SAML IdP Configuration

There are no frequently asked questions in this section yet.