Options for joining FAC to multiple customer-managed AD domains

ergotherego · ‎11-10-2017

We have a FAC we would like to use for remote authentication + DFA for customers. Customers manage/maintain their own domain. Our connectivity is NAT'd to them - we connect to public IP, their own firewall NATs to private IP.

In lab testing, we can get it working with NAT itself. The problem I think we are having is with DNS and the SRV records.

The DNS servers our FAC is pointed to doesn't have SRV records for customer domains. Even if we got forwarding working from our DNS/DC servers to customer, the DNS answer would be a private IP which wouldn't work anyway.

Anyone aware of alternative solutions to this problem? Basically how can you join a FAC to multiple remote (unmanaged) domains where you don't have direct native IP connectivity.

The only solution I can think of is for the customer to run NPS (Network Policy Server) on their end, and we do RADIUS messaging between FAC and customer DC - but I would really, really like to avoid that.

Thanks,

xsilver_FTNT · ‎12-28-2017

how about to have VPN concentrator in front of FAC. Terminating VPNs between FAC subnet and customer's subnets (no NAT, just routing over VPNs)?

There are no SRV needed for LDAP sync of users from customer's LDAP servers into FAC to be able to assign them 2FA (I guess that DFA = 2FA = two factor authentication = token).

Then those synced users can be per sync rule sorted into groups and those groups can be used alongside to relams, pointing to customer LDAP, in RADIUS Client auth profiles for respective customer.

So each customer would have his own group of users, sync rule, realm, RADIUS client config using group+realm.

Sounds doable to me.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Options for joining FAC to multiple customer-managed AD domains

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website