Last post Jul 13, 2006 12:20 PM by Freakyuno
Jul 13, 2006 07:19 AM|pnearn|LINK
As a SOLA on an outsoucring project I have a challenge that I hope someone can help me with
We have 2 seperate VLANS (lets call them VLAN1 and VLAN2) each with their own AD's. These are seperated by a Nokia Firewall
In the past users on one VLAN have had no need to connect to the other however we now have a centralised HR product with a web front end which is is to be hosted on VLAN1 which users on VLAN2 need to access. Clearly when they try and acess the URL through
the Firewall the Nokia software tries to authenticate them against the AD on VLAN1 whetre they dont exist and fires up some page asking for logon credentials, IP addresses etc
The simple way to do this would be to migrate all the users from the AD on VLAN2 to VLAN1. However this would be an additional 8000 users which we need to keep in step (i.e. each time a new user is added or a password changed)
So is there is some way we can configure the AD on VLAN1 to reference the AD on VLAN2 (i.e. a virtual extension if you like) or can we configure the Nokia Firewall on the VLAN1 side to go authenticate against the AD on VLAN2?
After some ideas here. Im not an AD expert in any way
Jul 13, 2006 07:40 AM|Freakyuno|LINK
You need to setup a 2 way trust, in both sets of A.D to trust the other domain.
You can find this under Start -> All Programs -> Administrative tools -> Active Directory Domains and Trusts.
Get your trust setup. If your firewall is correctly setup to forward LDAP then the authentication will pass from one A.D primary to another, and the user wont have to authenticate.
Jul 13, 2006 08:49 AM|pnearn|LINK
So just as I understand before I go burying my head in manuals
Establish trust between the two AD domains (I assume this is possible even if they are on seperate VLAN's and cannot 'see' each other directly?)
Set up the Firewall to forward LDAP? I assume this is standard thing that Firewalls use to pass on authentication?
Jul 13, 2006 08:58 AM|pnearn|LINK
Jul 13, 2006 12:20 PM|Freakyuno|LINK
I'm really not familiar with nokia firewalls my friend, I'm sorry. LDAP is normally a request and response system, with an initial challenge. Through ISA server, the rule just allows LDAP to traverse from Vlan 1 to Vlan 2. LDAP should know which server
it's authenticating with, and because your users are in an A.D setting, they should be getting Domain information for their local domain out of DNS, which means that a request never would be forwarded to the second VLAN unless it was meant for that VLAN...(since
it would be a routed subnet). What would happen, is you'd try to authenticate with a resource protected by A.D of VLAN-X and the challenge would occur for a specific FQDN, which then gives the DNS route, which is then forwarded toward the correct subnet by
your Trust, which is then tunneled to the correct server by your firewall.
I know it gets complicated. I assume you're firewall is actually acting as a Router as well. The first step, would be to set up a static route between the two VLAN's and make sure you can get some pings going back and forth. Be aware, that once the static
route is setup, your firewall may start complaining at you that it's droping a lot of packets...you probably dont need to worry, it's usually NetBIOS datagrams trying to traverse subnets and being dropped.