On-Premises Client Onboarding Guide
This guide walks you through setting up a Surface Security appliance on your network and connecting it to your Active Directory environment.
Prerequisites
Before beginning onboarding, ensure you have:
- Surface Security appliance -- powered on and connected to your network
- Network access -- DHCP or a static IP assignment for the appliance
- DNS record -- pointing to the appliance (e.g.,
surfacesec.yourcompany.com) - TLS certificate -- for your domain, or use Let's Encrypt auto-provisioning
- License key -- provided by your Surface Security account team
- Active Directory access (optional) -- for LDAP-based directory sync
Step 1: Appliance Setup
Physical Setup
- Unbox the appliance and connect:
- Power: Connect the supplied power adapter
- Network: Connect Ethernet to your corporate network
- Display (optional): Connect a monitor for first-boot wizard (can also be done via web UI)
- Power on the appliance
Network Configuration
The appliance ships with DHCP enabled. After boot:
- Find the appliance's IP address:
- Check your DHCP server's lease table
- Or connect a monitor -- the IP is displayed on the console
- Navigate to
https://<appliance-ip>:443in a browser - Accept the self-signed certificate warning (temporary until TLS is configured)
First-Boot Wizard
The setup wizard runs automatically when you first access the web UI:
- Admin Account -- Create the initial administrator (email, display name, password)
- License Activation -- Paste the license key provided by your account team (optionally provide a Portal API Token for automatic signature updates)
- Validation -- The system verifies the license signature, creates your environment, and configures default security policies
- Success -- Confirms your organization name, license tier, expiry, and max users, then redirects to the dashboard
Note: Network configuration (IP, DNS, TLS) is handled at the OS/appliance level before the web UI is accessible. Configure your static IP, DNS record, and TLS certificate (or reverse proxy) before navigating to the setup wizard.
Step 2: Connect Directory
Active Directory / LDAP (Recommended for On-Prem)
- Log into the Surface Security dashboard
- Navigate to Settings > Directory Sync > Add Source > Active Directory
- Configure connection:
- LDAP URL:
ldaps://dc01.yourcompany.com:636(use LDAPS for encrypted connections) - Bind DN:
CN=surfacesec-svc,OU=Service Accounts,DC=yourcompany,DC=com - Bind Password: The service account password
- Base DN:
DC=yourcompany,DC=com - User Filter:
(&(objectClass=user)(objectCategory=person))(default) - Group Filter:
(objectClass=group)(default)
- LDAP URL:
- Click Test Connection to verify LDAP connectivity
- Click Save
Hybrid: SCIM for Cloud + LDAP for On-Prem
For organizations with both cloud and on-premises directories:
- Add an Active Directory source for on-prem users (LDAP pull)
- Add an Entra ID or Okta source for cloud-synced users (SCIM push)
- Both sources appear in the directory sync dashboard
- Users from each source are tagged with their origin
Manual Import
If no directory integration is needed:
- Navigate to Users > Bulk Import
- Upload a CSV file with columns:
email, displayName, department
Step 3: Select Groups
- Navigate to Settings > Directory Sync
- Click Configure Groups on your Active Directory source
- Choose:
- Sync All Groups -- syncs all groups found in AD
- Select Specific Groups -- pick security groups or distribution lists
- Select the Identification Method:
- sAMAccountName -- recommended for pure on-prem AD environments
- UPN -- if users have UPN configured
- Email (mail) -- if the mail attribute is populated
- Click Save and then Sync Now to pull groups
Step 4: Deploy Extension
Quickstart (recommended)
For the fastest path to first enrollment:
- Configure SSO at Settings > SSO
- Generate a magic link at Onboarding > Deploy method > Magic Link and click Generate
- Share the link with your team via Slack, email, or wiki
Users click the link, authenticate via SSO, and their extension enrolls automatically. Works on any device with an internet connection to your IdP, regardless of domain membership.
See the Enterprise extension deployment guide for more details.
Mass rollout (Group Policy)
For larger orgs or AD-joined device management:
- In the Surface Security dashboard, go to Onboarding > Step 3
- Click Generate Configuration to create an enrollment token
- Select Group Policy and copy the policy JSON
- In Group Policy Management Console (gpmc.msc):
- Edit a GPO linked to the OUs containing target devices
- Navigate to Computer Configuration > Administrative Templates > Google Chrome > Extensions
- Configure "Configure the list of force-installed apps and extensions"
- Add the extension ID with update URL
- Set managed storage configuration with the generated JSON
- Run
gpupdate /forceon target devices or wait for policy refresh
SCCM / MECM
- Create a PowerShell script deployment using the provided deployment script
- Pass the Tenant ID, API Endpoint, and Extension ID as parameters
- Deploy to a device collection targeting your pilot group
Manual Installation
For testing:
- Install the extension from the browser store (or load unpacked from the built extension)
- Click the extension icon
- Enter the API Endpoint, Tenant ID, and Enrollment Token
- Click Enroll Device
Step 5: Verify Enrollment
- In the dashboard, go to Onboarding > Step 4
- Confirm devices appear in the enrollment table
- Navigate to a few websites from an enrolled device
- Verify events appear in the Dashboard within seconds
- Check Alerts for any detected security issues
Backup and Recovery
Automated Backups
The appliance automatically backs up:
- PostgreSQL database (daily, retained for 30 days)
- Configuration files
- TLS certificates
Backups are stored on the secondary NVMe drive (Tier 1) or replicated across cluster nodes (Tier 2+).
Manual Backup
- Navigate to Settings > Backup in the dashboard
- Click Create Backup to trigger an immediate backup
- Download the backup file for off-site storage
Recovery
From backup drive:
- Connect the USB recovery drive (included in the box)
- Boot from the USB drive
- Select "Restore from backup"
- Choose the backup point to restore
Factory reset:
- Boot from the USB recovery drive
- Select "Factory Reset"
- Re-run the first-boot wizard
Troubleshooting
Appliance not reachable
- Verify network connectivity (check link lights on the Ethernet port)
- Confirm DNS resolves to the correct IP:
nslookup surfacesec.yourcompany.com - Check that ports 443 and 80 (if using Let's Encrypt) are not blocked by firewall
LDAP connection failed
- Verify the LDAP URL is correct (use
ldaps://for port 636) - Confirm the service account has read permissions on the target OUs
- Check that the AD server's certificate is trusted (for LDAPS)
- Test with
ldapsearchor PowerShell:Get-ADUser -Server dc01 -Filter *
Extension enrollment fails
- Verify the appliance is reachable from the device
- Check the enrollment token hasn't expired
- Ensure managed storage is applied (
chrome://policyfor Chrome,edge://policyfor Edge) - Check the extension service worker console for detailed error messages
Slow performance
- Check appliance CPU/memory usage in Settings > System Health
- Verify ClickHouse data retention TTLs are configured correctly
- For Tier 1 (single node), ensure total endpoint count doesn't exceed 1,000
For cloud deployment, see Cloud Onboarding.