Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

TZ670 can't add LDAP imported groups to Trusted Users group

Hi,

I need to replace NSA250 by TZ670.

In the new TZ670 i can't add LDAP imported groups to "Trusted Users" local group like i did in my NSA250.

"Trusted Users" belong to IpSec VPN Authentification.

Like i need to associate 2 LDAP groups from 2 different Active Directory, in NSA250, these 2 groups had been added like members of "Trusted Users".

When i do that in TZ670, these 2 groups never appears in "Trusted Users" local group...

Thanks for your help.

Nicolas

Category: Entry Level Firewalls
Reply

Answers

  • SaravananSaravanan Moderator

    Hi @KERMIT007,

    Thank you for visiting SonicWall Community.

    This is because, any user or user group imported on the SonicWall is by default part of the Trusted Users group. Please explain your requirement and we can see what is best to achieve it.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Kermit007Kermit007 Newbie ✭

    Hi,

    I did not know that all imported groups were automatically part of "Trusted Users".

    Yet users in my 2 Active Directory groups cannot connect to the GroupVPN WAN with the GVC client.

    But if I configure one of the 2 Active Directory pins in the field "User group for XAUTH users" instead of "Trusted Users" it works for the members of this imported group (see attachment)

    But I need to associate 2 different groups...


    Nicolas

  • prestonpreston Enthusiast ✭✭

    Hi @Kermit007, it sounds like you are over complicating it, you can leave the VPN section as trusted users and select within the two specific, User Groups the VPN Destinations I.E. X0 Subnet, this will create the relevant Firewall rules for those users within those groups.

    to setup multiple LDAP domains, I do it this way from Gen 6.5 onwards,


  • SaravananSaravanan Moderator

    Hi @KERMIT007,

    If you want to restrict the GVC connection only with the users that are part of the two above said User Groups then the best way is to club them under one group in AD and import this one group on the firewall and then make use of the same in the "User group for XAUTH users" section. This should be the simple and best way since you are using LDAP imported user groups. The same process is followed if you are using SonicWall's local user group DB.

    Hope this answers.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • prestonpreston Enthusiast ✭✭
    edited June 7

    @Saravanan, his user groups are from two separate LDAP domains, hence his issue with the two groups, that's why I suggested setting up as per my guide above.

  • Kermit007Kermit007 Newbie ✭

    Thanks for your answers, but for me it does not work with the new TZ670...

    It is as if the groups imported from the LDAP were not automatically members of "Trusted Users" yet it worked perfectly with the same method on an NSA250...


    Nicolas

  • prestonpreston Enthusiast ✭✭
    edited June 7

    @Kermit007 , if you rename both AD user Groups to be the same name exactly like ( VPN Users ) , re-sync the LDAP directory(s) then when importing in choose the below when re-importing the user group it will match both domains, then just add this group to the VPN settings


  • Kermit007Kermit007 Newbie ✭

    I'll test that out. Thank you

  • Kermit007Kermit007 Newbie ✭

    I have tested, I created a group with exactly the same name in the 2 active Directory but it does not work either.

  • prestonpreston Enthusiast ✭✭
    edited June 7

    @Kermit007 , did you go through that document I sent the link to? also under the LDAP Test, can you perform login queries to both domains or does it only work for the primary one?

  • Kermit007Kermit007 Newbie ✭

    Preston,


    yes I read the link. I already use several SonicWall but previous generation without problems.

    The query tests on the LDAP 2 works well...

Sign In or Register to comment.