Multiple AD Auth Servers - How do I configure DNS?

Hi,

I have a query regarding SSL VPN with multiple AD domains.

I have a firewall situated at a site with two different organisations. Each on it's own subnet and each connected to its own M200 port.

Each organisation runs its own AD domain and there is no connectivity between the two beyond the sharing of the broadband.

I can:

  • Define two AD authentication servers.
  • Get the SSL VPN user to logon to the correct AD domain by specifying the username prefixed by the domain.
  • Grant access to only the correct subnet based on the user's membership of an AD security group.

The one part I cannot figure out how to do is DNS. The Watchguard seems only to be able to provide a single set of DNS servers and DNS suffix - whereas I need to be able to provide one DNS server for one organisation but a different DNS server for the other.

I could configure one DNS server for each AD domain and give them out as a set. As long as the user only has access to the correct DNS server this should work but (a) they would have to wait for unavailable DNS servers to time out, and (b) this doesn't address the DNS suffix problem.

I can't help but think I can't be the first person with this requirement and I am missing something obvious.

If you could lend any guidance I would be most appreciative.

Thanks and regards,

Comments

  • James_CarsonJames_Carson WatchGuard Representative

    Hi FOSnet,

    Thanks for writing.

    The SSLVPN is only able to provide a single profile, and therefore is only configurable with what you see, the one set of DNS servers and suffix info.

    If you're looking to configure for multiple domains, the Mobile VPN w/IPSEC will allow you to set up multiple profiles, with different information, pointing at different AD servers.

    You could even have one organization on SSLVPN and one on IPSEC, if you wanted to do that.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • OK - I understand. Thanks for your assistance. Will proabaly go with the IPSEC solution I guess.

Sign In to comment.