VPN via Firebox X1000, then logon to Active Directory Domain 1

[Craino]

We have remote users that use VPN to acces network resources while out of the office. We are currently creating VPN accounts for them on our X1000. Once they are authenticated on the X1000, then they can map drives, run program, etc.

We are currently converting to Active Directory, and all is running well. However, we are having an issue with access to one of our applications for users that have been converted to the new Active Directory domain.

What used to happen: once the VPN connection authentication process completed they were able to start up an application running on their laptop that accessed a back end database. The authorization for accessing the DB was though a SQL server local account that had Domain Users in it's access list.

What's happening now: authentication to VPN still working fine and can map network drives, but doesn't appear the user is being registered on the network, so not in Domain Users, so not able to access database.

Does this make sense to anyone? Any ideas as to how to get this to work? Feel free to respond with questions/challenges, but we really feel this is an authentication issue and for some reason, the registration with AD isn't happening.

 

[Davetoo]

What authentication are you using to connect to the VPN? If not AD, switch to it.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[Craino]

We create the VPN account directly on the X1000, so I guess you would call it basic authentication. How do you "switch" to AD?

 

[Davetoo]

You can change to AD authentication on the Firebox...in the Setup setup an Authentication Server and switch to NT Server under Firewall Authentication

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[Craino]

Switch to NT server or AD server? Is that a typo?

We don't have the "AD Directory" tab on the Authentication Server setup. Is that just an update to the X1000? I thought we had auto update, maybe we need to do something explicitly?

 

[Craino]

Okay - just saw that you have to have FireWire Pro to get the AD authentication. Thanks for getting us started in the right direction Davetoo.

 

[Davetoo]

No, you shouldn't need Firewire to get AD authentication. Switch to NT Server under Firewall Authentication in the Setup list, which will take you automatically to setup an Authentication server and you'll see the options to establish an AD server to authenticate to.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[pankajchawla]

Go to setup>>authentication and chose appropriate radio and then again click setup>>authentication server and then enter the specific info for the authntication server.

 

[Craino]

We ended up fixing this issue by installing IAS to server as the authentication broker between the Watchguard and our DC.