Windows server AD trough IPSec VPN

Aballo · June 23

Hello,

We've got 2 sites linked trough an IPSec VPN. We used USG Flex at each side.

In the simpliest way, what can i do for users to be able to login on the domain, whatever site it is on?

Many thank's

L.

Zyxel_Melen · June 24

I assume you just need the client to login AD domain, not the firewall needs to join your AD and authentication. Below is the solution based on what I assume.

Main concept:

Your client need to know what IP is you domain.

You can set your AD DNS server IP as DNS server for your clients. Or set a domain zone forwarder so the clients can resolve the domain and connect to your AD. Below is the example for domain zone forwarder.

Since your firewalls are connected by VPN, the firewall will route the traffic to AD via VPN tunnel and your client can reach the AD.

Aballo · June 25

Hello,

Many thank's for your answers.

The domain controller is behind on USG (main site) and all users on this side can already logon.

The other side (the "agency") is new.

I thought IPSec allowed these ports (53, 88, 389, and 445) by default…

Regards

L.

Aballo · July 8

Hello Melen,

I add the record in the Domain Zone Forwarder:

I can't still not ping srv-ad by the name, only by its IP.

The second line is for DNS provider (added by the router itself)

Thank's for your help.

Lilian

Zyxel_Melen · July 10

https://community.zyxel.com/en/discussion/comment/78667#Comment_78667

Hi @Aballo

I checked with our engineer and found that Windows AD can't authenticate the remote site clients since they are under the different subnet from the AD. This is the Windows AD's limitation and you need to have a RODC in the remote site/site B for authentication.