SSL VPN using LDAP and Azure AD
RichardRoy
Newbie ✭
I cannot seem to find a guide on setting this up, I have a hybrid AD (On-prem sync'd to Azure AD using their Azure Sync tool (latest version) That works great. I enabled secure LDAP from our firewall WAN IP. I get a green light when i set that IP as an LDAP server using port 636. what i cannot get it to do is pass the test for logging someone in or configuring groups/schema i just get LDAP communication error. I know I am close.
I would like to make this work as a backup source for authentication.
thanks in advance
Best Answers
-
CORRECT ANSWERRedNet
Enthusiast ✭✭
The local accounts will work in combination with others being LDAP, you probably dont have the local users in the correct SSLVPNservices group. The domain for the login is just a visual thing, doesnt actually matter or relate to your AD, so its the same for local users as the AD user. Use the web based portal to check your logins are working.
For leveraging the Azure AD directly, I havent see this noted as supported by sonicwall and I would not be sending LDAP traffic out the internet (even if you have TLS enabled) unless its in an ipsec vpn tunnel.
I'd go with local accounts for now and make sure you set OTP requirement on those accounts on the sonicwall.
5 -
CORRECT ANSWERMarshals
Newbie ✭
Thanks for advice. I think you are right. I found this review https://webguidevpn.com/os/best-vpn-for-mac/ about my question.
5
Answers
Hello @RichardRoy,
Are you trying to use the auto-configure for the users and user groups when it is failing?
The KB below might be of some help.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
it does fail i f I hit that button yes, but it fails the same when i try and test a password sign in as well. it responds to a connect test but not an auth test. By converse the on prem AD servers, respond to all tests just fine and autoconfigure as well. My AD is sync'd and healthy according to Azure and sync'd with the latest Azure Sync tool so I cannot figure out why it would answer connect just fine but not auth someone when the on-prem servers do.
You have an on prem AD DC and using the AD connect sync tool yes? In that case Azure/o365 doesnt come into this, you are still just pointing the sonicwall to your normal AD DC(s).
You should be pointing your Sonicwall at the on prem AD, is the sonicwall in the same LAN as your AD DC?
yes everything points already to on-prem ad and it works just great. Here is the part that is different. There are accounts in Azure AD that are not part of on prem AD. (contractors you invite to your tenant as an example. Their Microsoft account (or whatever) is authorized by AAD and authenticated. Works great in web apps and office products etc. I don't need to make on-prem accounts for them since they don't normally touch any of our on prem stuff. Now we have an exception to that rule where some of them need to be able to vpn to the on-prem. So I was hoping to leverage Azure AD to auth them rather than having to give them an on-prem account.
I tried making sonicwall local users for them but that did not work, even though we are set to LDAP + Local Users, no local user accounts can log in with netextender, the drop down never gives them the choice of LocalDomain or a way to overright it that we can see.
does that help clear it up?
thanks for the help. If I read the answer correctly then I should have name uniqueness between local accounts on the SW and domain accounts and end users would input the same domain name regardless? had not thought to try that
No probs, yep but I am pretty sure the sonicwall checks the local user DB first and then goes to LDAP. So if the username exists in the sonicwall local users list then thats what will be matched.
Probably best to not have the usernames on the local sonicwall (if using them) to match your AD anyway so the users know and you know its not the same account.
The same domain name regardless of LDAP or Local on netextender/web login. This can be anything and is set on the swall sslvpn/server settings page and has no relationship with the AD LDAP domain.
@RichardRoy Azure AD is not LDAP so authentication from Sonicwall won't work out of the box. You would need Azure AD Directory Services add-on which gives the LDAP part. You could enable SSL and restrict connection from a single IP address, but VPN Gateway is a safer bet.
I'm using AADDS this way over VPN and it works great.
@SonicAdmin80 Thanks for adding that, have no use cases myself for it yet but nice to know that it can work and how, cheers!
Do I need to login after the IP is changed or how can I get it to work on my firestick it doesn't have that problem with my tablet?
@Marshals your answer does not appear to be related perhaps you posted in the wrong thread?