Been wondering how to sole an issue regarding dhcp entrys on Microsoft AD.
For the AD to be able to speak to hosts it needs an DHCP entry to map the host to an ip.
This not done while using the SSL vpn since connecting clients are given an IP from the SSL vpn ip pool.
The connecting hosts can speak to the AD, but not the other way around.
Just wondering if there's any way to solve this. Or is it something that has to be changed on AD?
plejon wrote:The AD doesn't map IP addressesFor the AD to be able to speak to hosts it needs an DHCP entry to map the host to an ip.
The IP>Hostname mapping comes from the DNS server
What are you trying to accomplish with this?
Hi, thanks for your answer.
I'm not all that into Microsoft. I'm just a network dude.
I was told by the internal It tech guy that he need a dhcp querry for the dns to mapp hosts to the AD or domain controller.
i think dns, dhcp, ad and so on is on the same hosts.
But what he said what that the AD cannot speak with SSL clients because he does not have a dns host for them. because they are not given an IP from the internal server.
plejon wrote:I was told by the internal It tech guy that he need a dhcp querry for the dns to mapp hosts to the AD or domain controller.
i think dns, dhcp, ad and so on is on the same hosts.
But what he said what that the AD cannot speak with SSL clients because he does not have a dns host for them. because they are not given an IP from the internal server.
Try this first:
Create a new policy
Source Interface: internal (or where your DC is located)
Source Address: your DC, DNS
Destination Interface: ssl.root
destination address: SSLVPN_TUNNEL_ADDR1 (your IP Range)
Service: all
Action: Accept
Just noticed this .... what does your ssl.root -> internal (server) policy look like?
Active Directory requires clients ping the domain controllers in order to pull down GPOs. They use ping to determine the "closest" controller and if none respond, then it is assumed that none are close enough. So the policy update doesn't happen.
Allow Ping
Hi!
atm i'm allowing all traffic. this wont be in production until November.
But i think this might not be my problem, luckily.
but i shall test and see with if i can get something from the microsoft boys at my company.
i'll let you know when i knwo more. thanks for your input :)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.