Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SSL VPN using LDAP and Azure AD

RichardRoyRichardRoy Newbie ✭

I cannot seem to find a guide on setting this up, I have a hybrid AD (On-prem sync'd to Azure AD using their Azure Sync tool (latest version) That works great. I enabled secure LDAP from our firewall WAN IP. I get a green light when i set that IP as an LDAP server using port 636. what i cannot get it to do is pass the test for logging someone in or configuring groups/schema i just get LDAP communication error. I know I am close.

I would like to make this work as a backup source for authentication.


thanks in advance

Category: SSL VPN
Reply

Best Answers

Answers

  • Hello @RichardRoy,

    Are you trying to use the auto-configure for the users and user groups when it is failing?

    The KB below might be of some help.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • RichardRoyRichardRoy Newbie ✭

    it does fail i f I hit that button yes, but it fails the same when i try and test a password sign in as well. it responds to a connect test but not an auth test. By converse the on prem AD servers, respond to all tests just fine and autoconfigure as well. My AD is sync'd and healthy according to Azure and sync'd with the latest Azure Sync tool so I cannot figure out why it would answer connect just fine but not auth someone when the on-prem servers do.

  • RedNetRedNet Enthusiast ✭✭

    You have an on prem AD DC and using the AD connect sync tool yes? In that case Azure/o365 doesnt come into this, you are still just pointing the sonicwall to your normal AD DC(s).

    You should be pointing your Sonicwall at the on prem AD, is the sonicwall in the same LAN as your AD DC?

  • RichardRoyRichardRoy Newbie ✭

    yes everything points already to on-prem ad and it works just great. Here is the part that is different. There are accounts in Azure AD that are not part of on prem AD. (contractors you invite to your tenant as an example. Their Microsoft account (or whatever) is authorized by AAD and authenticated. Works great in web apps and office products etc. I don't need to make on-prem accounts for them since they don't normally touch any of our on prem stuff. Now we have an exception to that rule where some of them need to be able to vpn to the on-prem. So I was hoping to leverage Azure AD to auth them rather than having to give them an on-prem account.

    I tried making sonicwall local users for them but that did not work, even though we are set to LDAP + Local Users, no local user accounts can log in with netextender, the drop down never gives them the choice of LocalDomain or a way to overright it that we can see.

    does that help clear it up?

  • RichardRoyRichardRoy Newbie ✭

    thanks for the help. If I read the answer correctly then I should have name uniqueness between local accounts on the SW and domain accounts and end users would input the same domain name regardless? had not thought to try that

  • RedNetRedNet Enthusiast ✭✭

    No probs, yep but I am pretty sure the sonicwall checks the local user DB first and then goes to LDAP. So if the username exists in the sonicwall local users list then thats what will be matched.

    Probably best to not have the usernames on the local sonicwall (if using them) to match your AD anyway so the users know and you know its not the same account.

    The same domain name regardless of LDAP or Local on netextender/web login. This can be anything and is set on the swall sslvpn/server settings page and has no relationship with the AD LDAP domain.

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭
    edited July 2020

    @RichardRoy Azure AD is not LDAP so authentication from Sonicwall won't work out of the box. You would need Azure AD Directory Services add-on which gives the LDAP part. You could enable SSL and restrict connection from a single IP address, but VPN Gateway is a safer bet.

    I'm using AADDS this way over VPN and it works great.

  • RedNetRedNet Enthusiast ✭✭

    @SonicAdmin80 Thanks for adding that, have no use cases myself for it yet but nice to know that it can work and how, cheers!

  • MarshalsMarshals Newbie ✭

    Do I need to login after the IP is changed or how can I get it to work on my firestick it doesn't have that problem with my tablet?

  • RichardRoyRichardRoy Newbie ✭

    @Marshals your answer does not appear to be related perhaps you posted in the wrong thread?

Sign In or Register to comment.