TZ670 can't add LDAP imported groups to Trusted Users group
Kermit007
Newbie ✭
Hi,
I need to replace NSA250 by TZ670.
In the new TZ670 i can't add LDAP imported groups to "Trusted Users" local group like i did in my NSA250.
"Trusted Users" belong to IpSec VPN Authentification.
Like i need to associate 2 LDAP groups from 2 different Active Directory, in NSA250, these 2 groups had been added like members of "Trusted Users".
When i do that in TZ670, these 2 groups never appears in "Trusted Users" local group...
Thanks for your help.
Nicolas
Category: Entry Level Firewalls
0
Answers
Hi @KERMIT007,
Thank you for visiting SonicWall Community.
This is because, any user or user group imported on the SonicWall is by default part of the Trusted Users group. Please explain your requirement and we can see what is best to achieve it.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi,
I did not know that all imported groups were automatically part of "Trusted Users".
Yet users in my 2 Active Directory groups cannot connect to the GroupVPN WAN with the GVC client.
But if I configure one of the 2 Active Directory pins in the field "User group for XAUTH users" instead of "Trusted Users" it works for the members of this imported group (see attachment)
But I need to associate 2 different groups...
Nicolas
Hi @Kermit007, it sounds like you are over complicating it, you can leave the VPN section as trusted users and select within the two specific, User Groups the VPN Destinations I.E. X0 Subnet, this will create the relevant Firewall rules for those users within those groups.
to setup multiple LDAP domains, I do it this way from Gen 6.5 onwards,
Hi @KERMIT007,
If you want to restrict the GVC connection only with the users that are part of the two above said User Groups then the best way is to club them under one group in AD and import this one group on the firewall and then make use of the same in the "User group for XAUTH users" section. This should be the simple and best way since you are using LDAP imported user groups. The same process is followed if you are using SonicWall's local user group DB.
Hope this answers.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
@Saravanan, his user groups are from two separate LDAP domains, hence his issue with the two groups, that's why I suggested setting up as per my guide above.
Thanks for your answers, but for me it does not work with the new TZ670...
It is as if the groups imported from the LDAP were not automatically members of "Trusted Users" yet it worked perfectly with the same method on an NSA250...
Nicolas
@Kermit007 , if you rename both AD user Groups to be the same name exactly like ( VPN Users ) , re-sync the LDAP directory(s) then when importing in choose the below when re-importing the user group it will match both domains, then just add this group to the VPN settings
I'll test that out. Thank you
I have tested, I created a group with exactly the same name in the 2 active Directory but it does not work either.
@Kermit007 , did you go through that document I sent the link to? also under the LDAP Test, can you perform login queries to both domains or does it only work for the primary one?
Preston,
yes I read the link. I already use several SonicWall but previous generation without problems.
The query tests on the LDAP 2 works well...