Configure Access URL

Overview

The access URL is the address that people use to reach ADSelfService Plus. The Configure Access URL option lets you set the server name, protocol, and port that make up this address, so that ADSelfService Plus advertises the correct, externally reachable URL rather than the address of the server it happens to run on.

Administrators configure the access URL whenever the address users connect to differs from the ADSelfService Plus server's own host name and port. This is common when ADSelfService Plus sits behind a reverse proxy or a load balancer, runs in a failover setup, or is published to the internet. Setting an accurate access URL makes sure that the links ADSelfService Plus generates and the address its remote agents connect back to all point to the right place.

How it works

An access URL is made of three parts: a server name, a protocol (HTTP or HTTPS), and a port. Together they form the address at which ADSelfService Plus is reached. In a simple, single-server deployment this address is the same as the server's own host name and port. In other deployments it is not.

When ADSelfService Plus runs behind a reverse proxy or a load balancer, in a failover setup, or is exposed to the internet, users reach it through an intermediary whose address is different from the ADSelfService Plus server. The Configure Access URL option is where you tell ADSelfService Plus that externally reachable address. ADSelfService Plus then uses the access URL wherever it needs to refer to itself, including the links it sends to users and the address that remote login agents connect back to.

The access URL also determines the Relying Party ID (RP ID) used by the FIDO2 Passkeys authenticator. Passkeys that users enroll are bound to the domain in the access URL. If the access URL changes after passkeys have been enrolled, the RP ID changes with it, and the enrolled passkeys no longer match. For this reason, the access URL should be finalized before FIDO2 Passkeys is enabled.

Configuration instructions

To configure the access URL:

1. Navigate to Admin > Product Settings > Connection.
2. Click Configure Access URL in the top-right corner of the page. The Configure Access URL dialog opens.

1. In the Server Name field, enter the host name of the address through which users reach ADSelfService Plus. This is typically the DNS name of the internet-facing server, such as a reverse proxy or a load balancer.
2. For Protocol, select HTTPS to keep connections to the server secure, or select HTTP.
3. In the Port field, enter the port of the access URL.
4. The three fields Server Name, Protocol, and Port are all required.
5. Click Save once you have filled in the details.

Limitations

• An access URL is generally required only for failover, load-balanced, or internet-facing deployments of ADSelfService Plus. A standard single-server deployment usually does not need one.
• Changing the access URL after the FIDO2 Passkeys authenticator is enabled changes the Relying Party ID, which disenrolls all passkey users and discards their enrollment data.
• To install or schedule the login agent on remote machines through the access URL, the access URL must use the HTTPS protocol.

Tips

• Use the HTTPS protocol for the access URL in any production environment, so that connections to ADSelfService Plus stay encrypted.
• Decide on the access URL early. Finalizing it before you enable FIDO2 Passkeys spares users from having to enroll their passkeys a second time.
• Set Server Name to the DNS name of the internet-facing server, such as the reverse proxy or load balancer, not the address of the ADSelfService Plus server itself.
• After you set up a reverse proxy or a load balancer, return to this option and update the access URL to match the new address.