Active-Directory-aware VPN



  • What are my options for an Active Directory aware VPN?

    What I'd like is for my users to be able to connect their computers from on the road, using their AD credentials to log in. Then, once they're in, have full access to the internal network, only limited by their AD identities and group policies and that kind of thing.

    How hard can it be?


  • I survived the hour long Uno hand

    @Captain We have something by F5 that lets us log in via a web address with our AD credentials and opens a VPN tunnel. It works pretty well.



  • Most VPN devices allow for LDAP credentials, which can query AD directly.

    If all clients are Windows and you want to manage a Windows Server as your VPN "device" (port forwarding TCP/443 or such to the server), you can use the Remote Access role on Server 2012 and newer to terminate SSTP tunnels, which can also authenticate against your AD infrastructure.

    I strongly advise using the VPN device with LDAP if it's available to you. The SSTP server is a real bear to support, because your users will always want to connect their iDeviceMacAndroid whatever to the VPN after you make things start working, and SSTP support outside of Windows is sketchy at best.

    Edit: Remote Access does support PPTP tunnels as well. But for security reasons, I would not recommend PPTP as your long term deployment for a greenfield solution. Get a 3rd party SSL VPN type device, use OpenVPN, or use SSTP if you really really must. In general, something that looks and acts like HTTPS is the best option to combine security, manageability, and useability (it won't be blocked by very many hotel wifi firewalls or similar)



  • @Captain Our company uses something called FortiClient to do this. Works ok.

    2-factor via. email or phone app (Duo Mobile).



  • I'm probably going to feel dumb for posting this but uhhh...

    Just use Windows Server?

    I've never seen Windows Server used as the VPN Gateway but umm...should work?


  • :belt_onion:

    @blakeyrat said in Active-Directory-aware VPN:

    FortiClient

    gag


  • :belt_onion:

    Yeah, use Routing and Remote Access in Windows Server. It's AD integrated and plays nicely with Windows clients. And non-Windows clients can still connect too.



  • @MathNerdCNU @sloosecannon

    There are numerous articles out there that compare different VPN options (such as: https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs-sstp-vs-ikev2/ -- sorry for the Richard Stallman fanboi slant on the article, I CBA to find a more balanced one but his technical analyses are accurate), but of the three options that RRA (Remote Access VPN, as of Server 2012 and newer) supports, you've got:

    • PPTP: easy to implement, good cross platform support, very poor encryption, generally uses an insecure authentication protocol (MS-CHAPv2)
    • L2TP: good cross platform support, no encryption natively (requires additional configuration to setup IPSec if traffic security is required), IPSec results in double-encapsulation (which negatively impacts throughput/performance), uses a unique port for control/authentication, and a unique protocol for data, which often requires firewall support on both the server and client ends of the connection, especially in IPv4 environments which will have NAT (may not work at all when the client is behind Carrier Grade NAT).
    • SSTP: looks like SSL traffic (secured, easily traverses NAT, not generally blocked), unsupported in Mac OS X (third party applications exist, but don't support all authentication options, including the most secure ones), unsupported in Android and iOS. Basically Windows-only from a technical perspective.

    And that's it. I mean, there's DirectAccess too, but that's not a VPN solution in any sense of the word -- requires clients to be under your control (members of your AD domain), requires IPv6 functionality on the network, and won't work with certain legacy applications that don't support being accessed by IPv4 DNS names or IPv6. (You know... that critical line of business application that only works when you have an ODBC connector set up to the database server's IP address... and that database server is SQL 2000 on Windows NT for Servers...)

    So, if I'm going into a prospective client to recommend a VPN solution, I'd have to be pretty far in the hole to recommend the RRA solution.



  • @izzion So just use RDG(Remote Desktop Gateway)? I know iOS and MacOS have RDC clients and I'm 99% sure Android does to. I know *Nix has some shitty RDC clone. 🚎



  • @MathNerdCNU

    RD Gateway can work, the licensing costs can get a little sneaky there ($80-100 per user for the terminal server, every time you upgrade terminal server versions), especially when compared to solutions like Cisco AnyConnect which works out to like $5/user/year. I suppose you could go for the administration hell that is RD Gateway to on-premises PCs... but I prefer getting to take actual vacations, sip fizzy drinks on a beach somewhere...



  • @izzion Does Cisco AnyConnect work with certs? From what I've seen(again black box testing) it should but until I have positive confirmation I won't believe it.


  • Grade A Premium Asshole

    @MathNerdCNU said in Active-Directory-aware VPN:

    I've never seen Windows Server used as the VPN Gateway but umm...should work?

    It actually works really well. We use it all the time. Just don't try to set it up unless you are at the machine that will be your VPN endpoint, or at least have immediate access to. If you are a Windows based office, it is the best option available in my opinion.



  • @MathNerdCNU said in Active-Directory-aware VPN:

    I'm probably going to feel dumb for posting this but uhhh...

    Just use Windows Server?

    I've never seen Windows Server used as the VPN Gateway but umm...should work?

    My previous company and the one before it both uses VPN provided by Windows Server directly.

    IMO, if there is not too much "high bandwidth usage" users it should be okay. (There's one problem in Windows Server provided VPN that it defaults to make your VPN gateway the default gateway of your computer, at least at time around Win2008. Now if someone connects to the VPN and leave heavy traffic applications like bittorrents running... :P )

    You need some configuration on the static route table to make it work in the way it should be.


  • Grade A Premium Asshole

    @cheong said in Active-Directory-aware VPN:

    (There's one problem in Windows Server provided VPN that it defaults to make your VPN gateway the default gateway of your computer, at least at time around Win2008. Now if someone connects to the VPN and leave heavy traffic applications like bittorrents running...

    Good reminder. Under VPN properties, you need to set it to not use gateway on remote network, unless you want/need to monitor employee internet usage. But, if you do that, the internet performance of VPN connected machines will be absolute rubbish.



  • @Polygeekery said in Active-Directory-aware VPN:

    @cheong said in Active-Directory-aware VPN:

    (There's one problem in Windows Server provided VPN that it defaults to make your VPN gateway the default gateway of your computer, at least at time around Win2008. Now if someone connects to the VPN and leave heavy traffic applications like bittorrents running...

    Good reminder. Under VPN properties, you need to set it to not use gateway on remote network, unless you want/need to monitor employee internet usage. But, if you do that, the internet performance of VPN connected machines will be absolute rubbish.

    In practice, setting that may or may not be good enough, depending on whether your VPN's DHCP is in the same network segment. If your company's network is in 192.168.168.0/22 and your VPN is in 192.168.253.0/24, you'll need to adjust static route on the VPN client PC so it know it should use the VPN gateway to find the other workstations when it see IP in 192.168.168.0/22 range.



  • @MathNerdCNU

    The config on it claims it can work with client certificates. We haven't configured it to use that on our side at this point, just credentials auth against LDAP.



  • @cheong

    PowerShell:

    Get-VPNConnection | Set-VPNConnection -SplitTunneling $true -DNSSuffix mydomain.foo.com
    

    Windows VPN survival commands.


  • Winner of the 2016 Presidential Election

    @izzion What about OpenVPN? I've had to use it in the past, and it seems to be supported on all platforms.

    @MathNerdCNU said in Active-Directory-aware VPN:

    Does Cisco AnyConnect work with certs?

    Yes, but it doesn't work on Linux. I mean, there's openconnect, but it's been broken for a while.



  • @asdf

    If you're a corporate IT monkey and supporting Linux VPN clients is a problem, you have what I call a "good problem" (all of your VPN clients are controlled by IT monkeys, probably you directly). My primary concern, and what colors my experience and expectations is supporting end user clients, and in my experience, standard end users just don't use Linux. OpenVPN works for that, but is slightly more difficult for an end user to set up than a straight SSL VPN like SonicWall or Cisco's solutions, mostly around where you have to put the config files, etc.

    That said, OpenVPN is a functional solution, but I've only ever used the "server" side of it on MikroTik routers, so I can't speak to ease of set up and administration on a Linux server gateway.


  • Winner of the 2016 Presidential Election

    @izzion said in Active-Directory-aware VPN:

    in my experience, standard end users just don't use Linux

    Depends on who your end users are. If there's a significant number of developers, you should care about Linux support.

    @izzion said in Active-Directory-aware VPN:

    mostly around where you have to put the config files

    IIRC, the config files are only a convenience features so that people don't have to enter all configuration options manually. And unless I'm misremembering, both the Windows and iOS client ask you for the configuration file and don't require it to be in a specific folder. I don't remember them being particularly hard to use correctly.


  • Grade A Premium Asshole

    @asdf said in Active-Directory-aware VPN:

    Depends on who your end users are. If there's a significant number of developers, you should care about Linux support.

    I am going to take a WAG that under his definition developers would not be "standard end users".


  • Winner of the 2016 Presidential Election

    @Polygeekery said in Active-Directory-aware VPN:

    I am going to take a WAG that under his definition developers would not be "standard end users".

    *sigh*

    Yes, I know. Developers are not standard end users and IT only cares about standard end users. This is why, despite that fact that I'm working in a large software company whose developers mostly use Linux, neither the VPN software nor the conferencing software nor anything else works on Linux. Who gives a fuck about developers? They only earn all our money.

    It's even more ironic, but I can't tell you why without partially doxxing myself by telling you where I work.


  • Grade A Premium Asshole

    @asdf said in Active-Directory-aware VPN:

    It's even more ironic, but I can't tell you why without partially doxxing myself by telling you where I work.

    Please god, let it be Red Hat.


  • Winner of the 2016 Presidential Election

    @Polygeekery said in Active-Directory-aware VPN:

    Please god, let it be Red Hat.

    What's the alternative, in your opinion? ;)



  • @asdf said in Active-Directory-aware VPN:

    Who gives a fuck about developers? They only earn all our money.

    Developers don't make all the money, salespeople do. After all, all developers have to do is fulfill the promises the salespeople already made!



  • @asdf

    I don't disagree with you that developers should be supported too. On the other hand, (strictly from my experience, not a slander on any person here in this thread or otherwise), developers tend toward doing their own "shadow IT" solution regardless of how well you support them, and resist all efforts to compel them to come in line with corporate IT's supported solution because it's not sufficiently open source / trendy / etc.

    At the end of the day, corporate IT has a budget (likely the flimsiest budget in the company), and if they don't satisfy the C-suite (or small business equivalent -- owner) needs, they're going to wind up on the street. If I have to choose between making developers or the boss man suck hind tit, well, I'm sorry, I sympathize, but you're going to have to run Windows or keep your shadow IT functioning and out of sight on your own :/

    (Apologies to anyone I may have offended if I didn't edit the sarcasm down enough. Lots of bad experiences with developers or other "expert users" that just refuse to let themselves be helped and demand having their way supported. Some of them get almost up to SJW level of behavior.)


  • Winner of the 2016 Presidential Election

    @izzion said in Active-Directory-aware VPN:

    On the other hand, […], developers tend toward doing their own "shadow IT" solution regardless of how well you support them

    Not entirely untrue, but: We're now forced use Skype for meetings, which means that we talk about super-secretâ„¢ projects on a third-party service, which is VERBOTEN and risky. We have to choose between not being able to communicate properly and violating our contracts and risking company secrets, simply because our IT department is either incompetent or unwilling to support us.

    This situation is really fucked up.



  • @izzion said in Active-Directory-aware VPN:

    That said, OpenVPN is a functional solution, but I've only ever used the "server" side of it on MikroTik routers, so I can't speak to ease of set up and administration on a Linux server gateway.

    Huh, our gateway is a MikroTik router.



  • @asdf Skype-For-Business is secure. And a shitload better than HipChat, which is our alternative.


  • Winner of the 2016 Presidential Election

    @blakeyrat said in Active-Directory-aware VPN:

    Skype-For-Business is secure.

    We don't use that. We have to use our private Skype accounts, since officially we're not even allowed to use Skype.



  • @asdf Then you're idiots.


  • Winner of the 2016 Presidential Election

    @blakeyrat said in Active-Directory-aware VPN:

    Then you're idiots.

    Thank you for keeping the General Help category free of insults and trolling. Also, fuck you for assuming shit and not reading my posts, I explained my situation above.



  • @asdf Damnit. This is Ben L's fault, I told him the category needs to appear in the header after you scroll down and he never fixed that.

    Anyway. I still think you're doing it wrong. If the company policy is X, you do X. If that slows down your work, well, prove to the company that it's doing that, but don't stop doing X. Skype isn't that much better than email.

    You said you're forced to use it... like what does "forced" mean? There's a gun to your head?


  • Winner of the 2016 Presidential Election

    @blakeyrat said in Active-Directory-aware VPN:

    Skype isn't that much better than email.

    If I have to have a meeting between 5 different people all over the globe, I have no other choice but to break company policy. We usually try to discuss things via email first, but that's rarely ever fruitful and even if it is, a 5-minute discussion takes weeks. This is why even our manager + 1 tells us to ignore company policy. (Not in writing, of course.)

    You said you're forced to use it... like what does "forced" mean? There's a gun to your head?

    See above. There is no other solution that actually works.

    @blakeyrat said in Active-Directory-aware VPN:

    If that slows down your work, well, prove to the company that it's doing that

    Oh, they know it, but it's not going to change.



  • @asdf said in Active-Directory-aware VPN:

    If I have to have a meeting between 5 different people all over the globe, I have no other choice but to break company policy.

    What's the company-approved way of doing it?


  • ♿ (Parody)

    @asdf said in Active-Directory-aware VPN:

    @MathNerdCNU said in Active-Directory-aware VPN:

    Does Cisco AnyConnect work with certs?

    Yes, but it doesn't work on Linux. I mean, there's openconnect, but it's been broken for a while.

    Yeah, I use it on Windows with smart card login all the time.


  • kills Dumbledore

    @blakeyrat said in Active-Directory-aware VPN:

    What's the company-approved way of doing it?

    shout really loud


  • Winner of the 2016 Presidential Election

    @blakeyrat said in Active-Directory-aware VPN:

    What's the company-approved way of doing it?

    Using a Windows-only solution, when they're fully aware that most people use Linux and that the company-issued laptops are too slow to run Windows in a VM.



  • @Jaloopa I mean, seriously. They don't even provide conference phones? They must have SOME way of holding the meeting.



  • @asdf I do not believe they don't have conference phones.


  • Winner of the 2016 Presidential Election

    @blakeyrat said in Active-Directory-aware VPN:

    I do not believe they don't have conference phones.

    Last time I checked, you cannot share your screen via phone.



  • @asdf Aha! So they DO have conference phones. I win again.


  • Winner of the 2016 Presidential Election

    @blakeyrat said in Active-Directory-aware VPN:

    I win again.

    How? Yes, you're right, we have conference phones and we can actually have a phone meeting. No, that doesn't help us either, it's only slightly more effective than emails. Ever tried to discuss a UI, give a presentation or do a code walkthrough via phone? With more than two people on the call?



  • I don't have any reply to make about that that wouldn't go outside the "general help" rules. Which is a shame, because I got a great snarky one cued up.


  • kills Dumbledore

    @blakeyrat said in Active-Directory-aware VPN:
    I win again.

    Sure, if you assume that anything not explicitly mentioned at first isn't relevant at all.



  • @asdf

    Ultimately, all of the discussion with @blakeyrat aside, if your development team has a compelling business reason to use Linux, and IT is aware of that and has been mandated to or agreed to support that, then yes, they're in the wrong. If your development team is using Linux because of what I refer to as "religious reasons" (it's cooler, it's "libre" software, Microsoft and thus Windows is evil), then I'd be inclined to side with IT and say you should toe the line and use Windows.

    Though, of course, I'm not familiar with the ins and outs of your IT situation, so my "advice" is more just spouting nonsense on the Internet than anything intended to be actionable :P



  • @asdf said in Active-Directory-aware VPN:

    This is why even our manager + 1 tells us to ignore company policy. (Not in writing, of course.)

    Of course not. Management wants you to be productive, but they don't want to put their own heads on the chopping block. If your manager ever wants to get rid of you (or even better, your entire department) he'll just say you were breaking company policy. And as there's no written proof of his authorisation, you're screwed.



  • @Captain

    Setting up OpenVPN server on an MikroTik router isn't very difficult, though the wiki documentation is out of date and incomplete or wrong in several areas. DM me if you want to look into it.

    On a more general observation to this thread -- I tend to advocate for using your firewall / router as the VPN gateway for three main reasons:

    • Routers have a specialized processor optimized for crypto operations, so they will be more performant than a server for VPN purposes.
    • Your firewall / router is much more likely to be where you're already doing other traffic filtering & control, and any NAT rules and such. So adding rules there to keep get your VPN traffic where it needs to go means you have a single point of management to worry about.
    • Cisco / SonicWALL VPN solutions utilize an HTTPS landing page and a wizard based installer to handle authenticated initial setup, making them a bit simpler to get set up on end user devices than OpenVPN or Windows SSTP/PPTP

  • Winner of the 2016 Presidential Election

    @izzion said in Active-Directory-aware VPN:

    if your development team has a compelling business reason to use Linux

    Our software and a lot of the tools we use to develop it are Linux-only.

    and IT is aware of that and has been mandated to or agreed to support that

    We can choose whether we want Linux or Windows pre-installed on it when we get a laptop. So yes, it's officially supported. (If you can call it that, see rest of the thread.)



  • @asdf

    Well then, that's something I would be escalating, or complaining at my manager until it got escalated and resolved. But then again, I'm not an expert in byzantine corporate politics -- the largest company I've ever worked at is under 100 employees :D


Log in to reply