WatchGuard VPN Connection Setup

This question is continuation of this question:
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Watchguard_Firewall/Q_23885304.html#a22922710

we created a group on our server "VPN_AD" and assigned some users to it, we can authenticate just fine however, even users outside this VPN_AD group and active directory users can still authenticate as well.

is there anyway to limit access to those users only in the VPN_AD group?

smaguireAsked:
Who is Participating?
 
dpk_walConnect With a Mentor Commented:
Sorry but not sure; I have never setup AD myself; I always had someone else who understood the working of AD set it up; my job always has been to configure the firewall. Systems have always been taken care by others.

May be some other expert with expertise in windows AD would be able to comment and help you further.

Regards.
0
 
smaguireAuthor Commented:
There must be something easy to let the firebox know that if this user XXX is not part of VPN_AD group then simply reject him/her connection and don't let them authenticate
anyone knows?
0
 
dpk_walCommented:
Hi,

If the user you have configured is not part of the VPN group then he would not get authenticated; typically this is what should happen; let's say on AD you have group VPN_AD with users a and b as the only members.
Now a third user c connects to VPN; firebox sends details to AD for c'; and as c is not part of VPN_AD group, AD send reject, firebox would deny any more access to the user. The point here to understand is if for some reason AD sends allow or accept then FB would allow the user c.
Finally in the policy which is created to allow access to remote users, again if the AD says allow that policy would be used to grant access to remote users to the shared resources.

Please check what is the response sent by AD to FB; you can enable logging and you would be able to see the logs runtime in firebox system manager.

As already told to you, I would not be able to assist you with AD configuration or settings.

Thank you.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
smaguireAuthor Commented:
Thanks dpk_wal for your reply,
I understand your answer and its logical but the problem i am facing (I think) its within the firebox itself and not with the AD. The firebox is authenticating against all users in AD and not a group within AD, so this makes me to beleive that I am either missing something like adding a MemberOf string or something like that.
it looks to us that everytime we enter a user, the FB grabs its user name and password and passing them to AD saying "here is a user I have and I want to know if he/she is an active directory user or not?"
checking the logs, everything is being granted access within Active Directory regardless of its group.
Thanks again
0
 
dpk_walCommented:
Did you upload the settings file on the client again after you made changes to firebox; please every time you make a change the client either needs to be updated manually or you need take the wgx file and reload it.

Normally if the user is not part of the group which should be same on both AD and firebox then the AD sends a deny.

Thank you.
0
 
smaguireAuthor Commented:
yes, I did but the firebox still authenticate it, I think I have to talk to watch guard and see what they think
 
Thanks
0
 
smaguireAuthor Commented:
It seems the AD authentication checks to see if the user exists in AD for a successful authentication. What we want to do is to check to see if a user is a member of a security group in AD not if they exist. I'm not sure if this is possible with the AD interface in the Watchguard. We realize we can search a specific directory location in AD but this does not help us as our users already have a structure which we cannot modify to place users in a VPN ALLOWED folder. The Group String is interesting because what we really want to query is something like memberOf = Mobile Users.

Have you ever seen this type of configuration done?
0
 
smaguireAuthor Commented:
Thank you for trying to help me out
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.