Options

Domain UPN change from .local to .com

We recently changed our domain UPN from .local to .com. Previously it was PersonOne@company.local, now its PersonOne@company.com because we switched to O365 for email, and for Azure AD Sync. We also use Duo MFA for VPN auth.

The problem is, when I login as usual with just the username, aUser and password in Mobile VPN SSL client, it does nothing. I tried aUser@company.com on the VPN, and this time I got one Duo MFA Prompt for LDAP Proxy. Usually we get 2 LDAP Proxy prompts.

To test VPN issue, I changed the UPN to aUser@company.local, and I'm able to VPN with aUser and the password, and also getting both Duo MFA.

Since we have to use .com now how can I make this work? Do I need to change any VPN settings on the WatchGuard?

This is my authentication setting now. Do I need to change this to the new UPN?

Also this is the DNS settings. Change the Domain Name to the new UPN?

Comments

  • Options
    edited May 15

    Any ideas will help, thanks.

  • Options

    Thanks

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    You need to change your auth server (in Authentication -> Servers, select LDAP) to reflect the new domain name.
    If you type in another domain name (via UPN) in the VPN client, the firebox may try to find that auth server. Since it doesn't exist, it'll likely fail.

    -James Carson
    WatchGuard Customer Support

  • Options

    I'm sorry I think I typed that wrong.

    The domain name is still company.local. When I go to one of the DC, and look up System information, it shows computer name as DC01.company.local, and under it shows Domain: company.local

    But, in Active Directory, the users are in user@company.com format.

    The auth servers are still showing company.local as before, so that should be correct right?

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @tantony
    If they're still showing .local on the firewall and you need them to be .com, you will need to change that in your auth server settings.

    If it's something else, I'd suggest opening a support case so that we can look into any errors you might be seeing.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.