Link to home
Start Free TrialLog in
Avatar of GGUser
GGUser

asked on

Group membership for an AD integrated firewall

We are admins for a Windows Server 2003 machine but the firewall on the network is administered by a third party. In order to integrate the firewall with active directory we need to grant the third party a user account with privileges that would enable the firewall to poll the AD and check for user authentication. We want to ensure this account has the minimum rights to ernable them to do this job but nothing more, i.e. No admin rights, no logon rights.

As far as I am aware this is a typical AD integrated firewall senario. The firewall in question is a Firebox.

Thanks, GG
Avatar of Johneil1
Johneil1
Flag of United States of America image

Can you be a little more clear on your question? Which part of it are you having issue with? all the firewall should need is and AUTH server named.
Avatar of GGUser
GGUser

ASKER

The firewall needs to authenticate users who connect to it via VPN. We could set it up so the firewall has it's own list of users and passwords but this would mean administering two sets of users, one on the server and one on the firewall. The firewall has the ability to integrate with the AD, so that the firewall can authenticate users straight from the AD using their windows account, but in order to do so it needs a dedicated AD account that it can use to poll the AD.

I'm assuming a standard 'domain user' account won't give the firewall suitable privileges but a 'domain admin' account will give them far too much access. Is there a group membership that would allow the firewall to access AD and authenticate users but not give them full admin rights?
What is the model firewall that you have?
Avatar of GGUser

ASKER

Without going to site I couldn't tell you the exact model but it's a Firebox X Core e-Series.
Avatar of GGUser

ASKER

Thanks for the link but the instructions on that site are for RADIUS authentication and we need to configure NT Authentication.
I don't think that you can get around the domain admin issue. I don't have much experience with the fireboxes, but most other firewalls and vpn devices require that the account have domain admin level access (for AD integration). my co-worker has a lot of firebox experience so i will as him for you when he gets in.  
ASKER CERTIFIED SOLUTION
Avatar of Johneil1
Johneil1
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of GGUser

ASKER

Hmm. This suggests that the firebox doesn't actually need its own account. I shall need to go back to the firewall guys and clarify why they need the account. Thanks very much!
that is wht i was thinking before......all you should need is the AUTH server, DNS and that should be it!!!!!!
so not truly knowing that box, it seems that you can get around the account issue!!!!
Good luck
Avatar of GGUser

ASKER

Thanks again.