Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1105
  • Last Modified:

How to join workstations to domain via WAN without VPN or RRAS

I am creating a new Windows Network with many external users, and I do not want users to authenticate via vpn or rras. I want them to be able to join and login to the domain via WAN to the Primary DC.

Does anyone know how? I will be placing a firewall between the PDC and WAN.
0
lbeg
Asked:
lbeg
  • 6
  • 3
  • 3
  • +3
1 Solution
 
HousammuhannaCommented:
MMMM, a link must be exist so the client can connect to server and DNS
if you dont want to have anything like this then you can have a Child domain in the remote site and the user auth. with that one, and let the replication happend for a few hours using the VPN
the VPN is one of the most secure communication method
 
0
 
lbegAuthor Commented:
I would like to go through the firewall so users can authenticate/join via the wan connection, not vpn.

Does anyone have experience with this?
0
 
DenisCooperCommented:
what sort of link are you putting in place? if going over the internet, the only way is VPN - otherwise you would have to create external DNS entries etc for your AD - have an exernal DNS server, thus making a very insecure network.

If you are using a direct link - ie leased line / fiber etc then you would need to open the ports up on your firewall. By direct link i mean litterally a link from one building to another - which from your questioin, i don't think is what you are wanting to do.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
AzyreCommented:
Well in order for the clients to connect to your DC they need to get through your firewall in the first place as the computers need to be on the same network in order to communicate with the domain, ie. they need to be able to communicate.  (Thus VPN, Virtual Private Network)  Rather than have a VPN you can have users connect to your domain servers via other routes and there are a few of them.  Citrix, RDP, ect, but you still need something to tell the users computers where on the web to connect so that they can access the domain.  

From what it sounds like you are trying to do you can have the users authenticate to your domain through RDP (Remote Desktop Protocol) but you will require a terminal server in order for the users to connect.  You will also need to open the ports on the firewall for the users to connect through.

Take a look at :

http://www.windowsnetworking.com/articles_tutorials/Overview-Terminal-Services.html
http://www.microsoft.com/windowsserver2008/en/us/ts-product-home.aspx

0
 
lbegAuthor Commented:
i'm thinking along the lines of a "hosted" solution, except only 1 server.

I have the capability for running external dns - i actually setup the domain using an external dns domain name, so...
0
 
LauraEHunterMVPCommented:
Are you referring to performing domain joins and auth over the Internet, without using a VPN?

Worst idea on record. Will require opening up far too many high-risk ports on your firewall, and odds are good that an intermediate router between you and your clients will be blocking one or more of said high-risk ports.

Exactly what services are you trying to expose to your clients, as there's probably a much better way to reach whatever your end-game is. If you want to expose email functionality, there's OWA for webmail or OutlookAnywhere for the thick client, neither of which require direct Internet WAN authentication when designed properly. That's an example for one specific service; depending on your needs, there will be others.
0
 
lbegAuthor Commented:
Wow guys. Please keep on-topic. I didn't ask for opinions. I am aware of the security, but with a proper firewall for dos attacks, port blocking, etc and proper authentication via active directory, I think I'll be O.K.

Quoted from Iron Man, "This isn't my first rodeo."
0
 
AzyreCommented:
you can't just throw a DC out on the internet and have users connect to it.  (Well you can, but you'd have no way of managing which users are yours and which ones are hackers, and even attempting to do something like that would make hackers all over the world smile.)  You need to have some sort of user authentication onto your network and something to manage that authentication as well.

Also as you are going to have "lots" of external users you are going to need a solution powerful enough to manage all of the data packets from all of the users simultaneously.   I believe both Citrix and M$-TS have a suggested limit of 32 concurrent sessions per average server.   (4 Gigs ram / good  to high end processor.)
0
 
lbegAuthor Commented:
I'm closing this question. No good is coming from it.
0
 
robrandonCommented:
"Wow guys. Please keep on-topic. I didn't ask for opinions. I am aware of the security, but with a proper firewall for dos attacks, port blocking, etc and proper authentication via active directory, I think I'll be O.K."

lbeg - your comment doesn't make sense.  In order to accomplish what you want, you will not be able to do any port blocking.  According to your goals, anyone on the internet will be able to access the services you would normally protect with a firewall.  You mind as well not use a firewall at all.

The expert comments here were provided to steer you in a better direction than you are going.  What you have in mind is a very bad idea.  You should really consider using either a VPN or Citrix solution.

0
 
LauraEHunterMVPCommented:
I don't consider offering security advice to be "off-topic", particularly when what you are espousing is a pretty horrific plan.  If you are "aware of the security" then you wouldn't even be considering the scenario that you're describing, full-stop.

From a standpoint of professional ethics, it's my job to offer you the best advice possible, and the best advice in this scenario is "Find another way to do what you are considering." See my previous, in re: determine what services you intend to offer to your clients, and then determine the best mechanism for doing so securely. (The answer to the latter will in no case be "Allow direct connections to an writeable domain controller over the Internet.")
0
 
AzyreCommented:
---> lbeg:
Quoted from Iron Man, "This isn't my first rodeo."


-->
Quoted from my wife, "If you want to wrestle a bull and everyone is telling you, 'don't wrestle that bull, it's simply not possible' you really should think twice before wrestling that bull."
0
 
DenisCooperCommented:
i'll try and make a sensible comment - i understand what you want to do, but this realy isn't pheasible. Yes if you want an open network, then you can do it, although it won't be reliable. Microsoft don't actually recommend using the same extenal DNS with your internal network - although it can be done.

Your AD DC would need to be infront of the firewal. You would have to open all ports to the DC - as replication / authentication / dns / kerberos etc won't work correctly behind a fiewall. It would be hard to even have one DC out on the network and the others behind the firewall as it just doesn't really function.

I think your best bet is to use some sort of tunneling software - VPN, or as mentioned above using citrix or RDP. These work fine behind a firewall and would so the same job you want.

Let me know if can help any more.
0
 
lbegAuthor Commented:
Thanks Denis.
0
 
robrandonCommented:
FYI, this very setup is open to the exploit that MS has released an out of cycle security update for.

0
 
lbegAuthor Commented:
ROBRANDON,
Thank you so much for the info. Do you have a link to the out of cycle security update?
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

  • 6
  • 3
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now