SSL VPN combined with MS AD Domain Login

I have a challenge which I hope anyone can help me solve..
Our company uses a CRM-system which requires users to be logged on as MS AD domain users.
This works perfectly well when the users are on our internal LAN, but it is a challenge to make this work over an SSL VPN-connection.

To be able to do a login on the domain you must have network access to the domain server, but you cannot set up an SSL VPN-connection before you have logged in (locally) and started your web browser.

Anyone who can help me out on this ??
toyman61Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dfxdeimosCommented:
Do all the users that would be logging in via VPN have a physical workstation at your location? If so, they could just establish the VPN then open a Remote Desktop Connection to their workstation and work that way.

If not you could setup an additional server that functions as a Terminal Server and allows the users to get a desktop in your domain that way.
CompuzedCommented:
Typically, a VPN SSL connection, you run a client software of some kind on the off site resource ( Laptop or whatever) .  When the client software creates the SSL - VPN connection, the DNS is put in place on a "virtual" NIC ( adaptor).  This new IP ( lets say 10.10.10.100) is then on the same subnet as you LAN back in the office.  By virture of being on the same subnet, when the user logs in, they are in fact authentication to the DC, thus being a MS AD domain user.    Now your CRM is the issue..... somehow you will have to tell the local copy of your database that it needs to sync with the Remote Database..... Maximizer does a good job of this, but not sure what you might be using.
Obviously , only one set of data should be in play here.
dfxdeimosCommented:
@ Compuzed:

It is not correct to say that just because someone is logged in via VPN that they are "Authenticat[ed]ion to the DC". Just because they have passed their credentials once to whatever the authentication mechanism of the VPN connection does not mean they can browse the network at will and authenticate with integrated windows authentication (based upon the connection account).

When they try to access a resource they are by default still going to be passing their login information from their LOCAL PC to whatever they are accessing.
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

CompuzedCommented:
Correction noted....my mistake.

toyman61Author Commented:
dfxdeimos: No, my users will not have a physical workstation at our location. All have laptops, which they use both in office and i.e. at home (or on travel or...).

Compuzed: The problem is that although our users are authenticated with their AD credentials to our SSL VPN-solution they are still not authenticated to AD as such. Our CRM-solution requires full AD authentication....

 
CompuzedCommented:
Try looking at the ports that AD uses for authentication....I think the term is LDAP, and I think it is port 53??
dfxdeimosCommented:
@ Compuzed:

Knowing those ports won't make any difference. The issue here is that integrated Windows authentication will not work to pass your creds to the AD enabled application (CRM) unless you are actually logged in to something that creates the proper token.

@ ToyMan61:

Are these laptops members of the domain?
toyman61Author Commented:
Compuzed: LDAP uses port 389. This information is found in your /etc/services-file (or windows\system32\drivers\etc for Windows-users). Port 53 is DNS - Domain Name Server.

dfxdeimos: Some of them are, but not all. I But they will be in the near future.

Today we have used a VB6-application to authenticate users with the AD, and map the necessary shared directories and printers. But that is not enough for our CRM-application... :-(

So the problem is still unsolved..



dfxdeimosCommented:
What is going to have to happen here (as far as I can see) is that you are going to have to set up a Terminal Server that exists inside of the domain at all times. Users will be able to establish their VPN connection and then RDP to the server, which will give them a desktop and the ability to authenticate within the domain.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tigerbamCommented:
Yes this is possible...have had similar scenario and it was working using Aventail SSL VPN box and juniper SA 's. Can you tell me which SSL VPN box you are using with its version number also mentioned.
toyman61Author Commented:
We are using ZyWall SSL 10 as SSL VPN-box with firmware-version 1.00(AQH.6).
How did you solve this challenge ?
tigerbamCommented:
Its quite simple...its more to do with the functionality of the box. In case of Juniper for the particular role, we should configure the web bookmark for the particular URL that you want the end user to access.
When the user tries to access the link, the authentication will be prompted.

Going thru the Zywall doc ....will comeback to you later as to whether it will work or not.
toyman61Author Commented:
tigerbam: That might work - but our customers already have to authenticate themselves to the SSL VPN-solution, and if they have to authenticate once again to be able to use the application it will not be used (trust me, we have tried this before..).  ZyWall SSL does not gives me the ability to take the credentials from the first authentication session and use it seamlessly to authenticate into another system/application. At least not as far as I know.



toyman61Author Commented:
tigerbam: I use the term "customers". It shall be "employees" - of course..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.