Setting up Mobile VPN with LDAP auth from BOVPN Virtual Interface (to Azure AD DS)

I set up a site-to-site BOVPN to an Azure VNet containing an Azure AD Domain Services instance, and on our local network I've tested that I have LDAP (port 389) access to the remote domain controllers. I checked the box to add that tunnel to the BOVPN-Access policies as well.

But when I try to set up an LDAP authentication server on the Firebox that uses the remote LDAP (for use with Mobile VPN), it always errors when I test from the Web UI:
Connect to server: Failed (can't connect to x.x.x.x[server is down or unreachable])
Log in (bind): Failed (unknown)

Are there additional routes or policies that need to be put in place?

Comments

  • My guess is that the LDAP packet from the firewall uses an IP addr not in your current routing to Azure.

    You can log packets from the firewall to verify the IP addr being used for this.
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> "Enable logging for traffic sent from this device"
    In the Web UI: System -> Logging -> Settings

  • If you are using BOVPN Vif configuration, try to configure a free IP address from your on-prem network in the BOVPN Vif / VPN Routes / Assign virtual interface IP addresses config.

    Firebox is now using this address when it is connection to the remote LDAP through the VPN tunnel.
    See: https://www.screencast.com/t/2ba2JIhWcF

  • @Kimmo_Pohjoisaho THAT WAS IT! B)
    Many thanks, huge help...and the fix was still implemented before WG support even managed to review my case (which is nearly as big a problem, IMO).

Sign In to comment.