locked
Active Directory integration between VLAN's RRS feed

  • Question

  • User-965163980 posted

    As a SOLA on an outsoucring project I have a challenge that I hope someone can help me with

    We have 2 seperate VLANS (lets call them VLAN1 and VLAN2) each with their own AD's. These are seperated by a Nokia Firewall

    In the past users on one VLAN have had no need to connect to the other however we now have a centralised HR product with a web front end which is is to be hosted on VLAN1 which users on VLAN2 need to access. Clearly when they try and acess the URL through the Firewall the Nokia software tries to authenticate them against the AD on VLAN1 whetre they dont exist and fires up some page asking for logon credentials, IP addresses etc

    The simple way to do this would be to migrate all the users from the AD on VLAN2 to VLAN1. However this would be an additional 8000 users which we need to keep in step (i.e. each time a new user is added or a password changed)

    So is there is some way we can configure the AD on VLAN1 to reference the AD on VLAN2 (i.e. a virtual extension if you like) or can we configure the Nokia Firewall on the VLAN1 side to go authenticate against the AD on VLAN2?

    After some ideas here. Im not an AD expert in any way

    Thursday, July 13, 2006 7:19 AM

All replies

  • User-820230059 posted

    You need to setup a 2 way trust, in both sets of A.D to trust the other domain.

    You can find this under Start -> All Programs -> Administrative tools -> Active Directory Domains and Trusts.

    Get your trust setup.  If your firewall is correctly setup to forward LDAP then the authentication will pass from one A.D primary to another, and the user wont have to authenticate.

    Thursday, July 13, 2006 7:40 AM
  • User-965163980 posted

    Thanks Freak

    So just as I understand before I go burying my head in manuals

    Establish trust between the two AD domains (I assume this is possible even if they are on seperate VLAN's and cannot 'see' each other directly?)

    Set up the Firewall to forward LDAP? I assume this is standard thing that Firewalls use to pass on authentication?

    Thursday, July 13, 2006 8:49 AM
  • User-965163980 posted
    Re: the LDAP port forwarding trhough the Firewall. I assume what I need to is configure the firewall to port forward any LDAP traffic to the correct AD server on VLAN1? i.e. port 389 (LDAP)

    This way, I guess that any traffic that hits the firewall on this ports (i.e. LDAP authentication) gets to the right place inside the firewall. Now if this is a URL address ( for the relevant application) how can I make sure the LDAP is also forwarded or does this happen automatically ?
    Thursday, July 13, 2006 8:58 AM
  • User-820230059 posted

    I'm really not familiar with nokia firewalls my friend, I'm sorry.  LDAP is normally a request and response system, with an initial challenge.  Through ISA server, the rule just allows LDAP to traverse from Vlan 1 to Vlan 2.  LDAP should know which server it's authenticating with, and because your users are in an A.D setting, they should be getting Domain information for their local domain out of DNS, which means that a request never would be forwarded to the second VLAN unless it was meant for that VLAN...(since it would be a routed subnet).  What would happen, is you'd try to authenticate with a resource protected by A.D of VLAN-X and the challenge would occur for a specific FQDN, which then gives the DNS route, which is then forwarded toward the correct subnet by your Trust, which is then tunneled to the correct server by your firewall.

    I know it gets complicated.  I assume you're firewall is actually acting as a Router as well.  The first step, would be to set up a static route between the two VLAN's and make sure you can get some pings going back and forth.  Be aware, that once the static route is setup, your firewall may start complaining at you that it's droping a lot of packets...you probably dont need to worry, it's usually NetBIOS datagrams trying to traverse subnets and being dropped.

    Thursday, July 13, 2006 12:20 PM