Windows server AD trough IPSec VPN
Freshman Member
All Replies
-
Hi @Aballo,
I assume you just need the client to login AD domain, not the firewall needs to join your AD and authentication. Below is the solution based on what I assume.
Main concept:
Your client need to know what IP is you domain.
You can set your AD DNS server IP as DNS server for your clients. Or set a domain zone forwarder so the clients can resolve the domain and connect to your AD. Below is the example for domain zone forwarder.
Since your firewalls are connected by VPN, the firewall will route the traffic to AD via VPN tunnel and your client can reach the AD.
Zyxel Melen0 -
Hello,
Many thank's for your answers.
The domain controller is behind on USG (main site) and all users on this side can already logon.
The other side (the "agency") is new.
I thought IPSec allowed these ports (53, 88, 389, and 445) by default…
Regards
L.
0 -
Hello Melen,
I add the record in the Domain Zone Forwarder:
I can't still not ping srv-ad by the name, only by its IP.
The second line is for DNS provider (added by the router itself)
Thank's for your help.
Lilian
0 -
Hi @Aballo
I checked with our engineer and found that Windows AD can't authenticate the remote site clients since they are under the different subnet from the AD. This is the Windows AD's limitation and you need to have a RODC in the remote site/site B for authentication.
Zyxel Melen0
Zyxel Employee
Categories
- All Categories
- 435 Beta Program
- 2.7K Nebula
- 175 Nebula Ideas
- 117 Nebula Status and Incidents
- 6.1K Security
- 422 USG FLEX H Series
- 297 Security Ideas
- 1.6K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 44 Wireless Ideas
- 6.7K Consumer Product
- 272 Service & License
- 418 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 89 Security Highlight
