vpn client and nat server

2»

All Replies

  • antonellobellisario
    antonellobellisario Posts: 17  Freshman Member
    First Comment Third Anniversary
    edited May 2020
    but to connect from the remote client do I have to use Ipsec VPN client 
    and then to make join to domani?

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,302  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments
    edited May 2020

    Hi @antonellobellisario

    Do you mean that you want to build up a vpn tunnel to the device with the AD server users to login?

    Can you describe more details about your scenario?


  • antonellobellisario
    antonellobellisario Posts: 17  Freshman Member
    First Comment Third Anniversary
    this scenario 
    can i use secure extender for connect ?

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,302  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments

    Hi @ antonellobellisario

    Yes, it can use SecuExtender to build up SSL VPN tunnel to login USG AD users.

    Below is the example settings

    Go to Configuration → Object → AAA Server > select the already created "AD" profile and click Edit.


    At the bottom of the settings, you can test your account on "Configuration Validation" field.



    To make the USG look in the Active Directory

    Go to the Configuration→ Object→ Auth. Method> Edit the default rule.

    Add group ad in to the settings



    Create a ext-group-user

    Go to Configuration→ Object→ User/Group



    Setup SSL VPN settings

    Go to Configuration > VPN > SSL VPN > Click “Add” to add a new rule





    Then can use SecuExtender to build SSL VPN tunnel to the device



    Here is the link of related discussion article on forum

    https://businessforum.zyxel.com/discussion/1002/ad-validated-users-ssl-vpn





  • itxnc
    itxnc Posts: 98  Ally Member
    First Comment Friend Collector Sixth Anniversary
    If you're just trying to VPN into a domain managed LAN, that LAN is using the domain server for DNS as well, correct? If so, can't you just do something like this: https://businessforum.zyxel.com/discussion/4207/how-to-force-dns-query-pass-into-ssl-vpn-tunnel

    To force the remote system's DNS through the VPN to the domain server? Then you should be able to join the domain and resolve NetBIOS names, etc.
  • antonellobellisario
    antonellobellisario Posts: 17  Freshman Member
    First Comment Third Anniversary
    when I try the user
    i see the message
    "vpn" does not belong to this group.

    what am I doing wrong?

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,302  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments
    edited May 2020

    Hi @antonellobellisario

    It means that the user is not belong to the group on your AD server,

    It need to add the user into the group.

    Here is link of related setting on AD server

    https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=014994&lang=EN

     


  • antonellobellisario
    antonellobellisario Posts: 17  Freshman Member
    First Comment Third Anniversary
    the configuration is correct but always this message:
    "users" does not belong to this group.
  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,302  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments

    @antonellobellisario

    Can you have a check which organization is the “vpn “ user belongs to?

    If the user is under different organization, it will not detect the user.

    Here is the related example,

    Add a user named “usera” in below domain “USG.com”,

    And the “usera” is under the organization “CSO” and it belongs to the group “CSO-test


     


    When setup the ext-group-user setting on USG

    If set group identifier as CN=test_group,CN=Users,DC=usg,DC=com,

    The Test Status will display “usera” does not belong to this group”.


     

    Since the “usera” is not in the organization “Users”, it is in the organization “CSO”

    The identifier should setup as “CN=CSO-test,OU=CSO,DC=usg,DC=com

    Then check the Test Status on the device, it will display “ OK “.



Security Highlight