ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Anyone figured out how to ZeroTier with AD?

    Scheduled Pinned Locked Moved IT Discussion
    active directoryzerotiervpn
    88 Posts 10 Posters 10.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      krisleslie @JaredBusch
      last edited by

      @JaredBusch said in Anyone figured out how to ZeroTier with AD?:

      Your AD server needs ZT and the ZT adapter needs to be marked as listened on in DNS server setup. The problem with this is that non ZT devices might get the ZT address of the server when they do a DNS look up and that will break things.

      This is complicated.

      I installed the latest ZT client on my AD server and a few laptops. So, for the most part, they "talk" and can ping etc. I attempted to "sign on" with a new user (not cached) and it won't see it just yet.

      DashrenderD 1 Reply Last reply Reply Quote 0
      • K
        krisleslie @IRJ
        last edited by

        @IRJ Azure AD shouldn't even be in the conversation lol. Thanks though. Azure AD doesn't work like "AD" entirely. We are a Windows office but we are also vested in Linux and Google Chrome OS. I'm leaning very hard to Chrome OS in the future as most of our needs and staff are about 90-95% fully functional with Chrome OS. At some point the only "Windows" devices will be held by IT and where absolutely necessary.

        IRJI larsen161L 2 Replies Last reply Reply Quote 0
        • DashrenderD
          Dashrender @krisleslie
          last edited by

          @krisleslie said in Anyone figured out how to ZeroTier with AD?:

          @Dashrender because one person I'm dealing with attempted to do that before (without my approval or knowledge) and messed up that Site to Site already at one of our other offices. While setting up a static vpn site to site can work, I have people that will eventually take those laptops home (read staff only about a handful) and will want most of the same access remotely.

          At that point, you have two options - resolve all the ZT AD issues only for those users - or give those users a standard mobile VPN solution.

          I'm glad that JB chimed in here - The last time I tried to get ZT to work with AD it was painful to say the list - and completely unreliable to say the most.

          As he mentioned, you have to install ZT on the AD servers (and every other server you want the users to have access to) All of those ZT addresses have to be in the AD DNS, which means that non ZT clients would query DNS and get a ZT address and have no route to get to that network, etc.

          If you move the entire company to ZT, things better a little better, because the client won't care which IP they get from a DNS query - because they will all be able to use local IPs or ZT IPs...

          What I haven't tried is what happens when you're on the road - say at starbucks.. your machine gets an IP from Starbucks along with DNS entries... Now when you query AD - where is the DNS query going? to the SB DNS or to your private network DNS? - JB might know the answer to this...

          K 1 Reply Last reply Reply Quote 0
          • K
            krisleslie @Dashrender
            last edited by

            @Dashrender that becomes a shit storm is what it becomes.

            DashrenderD 1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender @krisleslie
              last edited by

              @krisleslie said in Anyone figured out how to ZeroTier with AD?:

              I have two remote sites - no servers at them. All authentication is over the site to site VPN between my firewalls.
              So what are you using for authentication? So each site just "talks" to each other over vpn, I gotcha there, but authentication is handled by what?

              when a PC at the remote site wants to authenticate - it makes a DNS query asking the IP address of the AD controller - that DNS query is sent over the VPN to the main site, the DNS/AD box responds.. then the PC sends the auth request to the AD box's IP address - done.

              1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @krisleslie
                last edited by

                @krisleslie said in Anyone figured out how to ZeroTier with AD?:

                @JaredBusch said in Anyone figured out how to ZeroTier with AD?:

                Your AD server needs ZT and the ZT adapter needs to be marked as listened on in DNS server setup. The problem with this is that non ZT devices might get the ZT address of the server when they do a DNS look up and that will break things.

                This is complicated.

                I installed the latest ZT client on my AD server and a few laptops. So, for the most part, they "talk" and can ping etc. I attempted to "sign on" with a new user (not cached) and it won't see it just yet.

                Exactly - because the PC doesn't get the proper DNS info back.

                1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @krisleslie
                  last edited by

                  @krisleslie said in Anyone figured out how to ZeroTier with AD?:

                  @Dashrender that becomes a shit storm is what it becomes.

                  what is this in reference too? The ZT at Starbucks?

                  K 1 Reply Last reply Reply Quote 0
                  • K
                    krisleslie
                    last edited by

                    So what was all the fuss about putting the IPv6 Address in at some point in the long thread yal had before?

                    1 Reply Last reply Reply Quote 0
                    • K
                      krisleslie @Dashrender
                      last edited by

                      @Dashrender absolutely yea. Because I actually have one staff member who unfortunately has no other option but to go to Starbucks.

                      DashrenderD 1 Reply Last reply Reply Quote 0
                      • K
                        krisleslie
                        last edited by

                        I had a lifetime deal with Pertino but after they got absorbed that eventually faded away, unfortunately.

                        1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @krisleslie
                          last edited by

                          @krisleslie said in Anyone figured out how to ZeroTier with AD?:

                          @Dashrender absolutely yea. Because I actually have one staff member who unfortunately has no other option but to go to Starbucks.

                          What kind of firewalls do you have?

                          1 Reply Last reply Reply Quote 0
                          • K
                            krisleslie
                            last edited by

                            Nothing spectacular just UBNT Firewalls.

                            DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @krisleslie
                              last edited by

                              @krisleslie said in Anyone figured out how to ZeroTier with AD?:

                              Nothing spectacular just UBNT Firewalls.

                              Perfect - setup a VPN for end user - then have their client Log in with IPSEC

                              1 Reply Last reply Reply Quote 0
                              • K
                                krisleslie
                                last edited by

                                Already smell what ya cooking
                                https://help.ubnt.com/hc/en-us/articles/204949694-EdgeRouter-OpenVPN-Site-to-Site

                                DashrenderD 1 Reply Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender @krisleslie
                                  last edited by

                                  @krisleslie said in Anyone figured out how to ZeroTier with AD?:

                                  Already smell what ya cooking
                                  https://help.ubnt.com/hc/en-us/articles/204949694-EdgeRouter-OpenVPN-Site-to-Site

                                  https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server

                                  Your link uses OpenVPN - which you'll have to install on the ER.. L2TP will use the stuff already on the ER

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    krisleslie
                                    last edited by

                                    Cool time to read 🙂

                                    1 Reply Last reply Reply Quote 0
                                    • K
                                      krisleslie
                                      last edited by

                                      So you're suggesting to throw ZeroTier out of the equation (since we're dealing with AD) and then setup L2TP on each router (Site A and Site C) and each client (only a handful of clients for staff but for students maybe a bit of a headache).

                                      DashrenderD 2 Replies Last reply Reply Quote 0
                                      • K
                                        krisleslie
                                        last edited by

                                        LOL I see why more schools say "F" windows and go straight to Chrome OS.

                                        1 Reply Last reply Reply Quote 0
                                        • IRJI
                                          IRJ @krisleslie
                                          last edited by

                                          @krisleslie said in Anyone figured out how to ZeroTier with AD?:

                                          @IRJ Azure AD shouldn't even be in the conversation lol. Thanks though. Azure AD doesn't work like "AD" entirely. We are a Windows office but we are also vested in Linux and Google Chrome OS. I'm leaning very hard to Chrome OS in the future as most of our needs and staff are about 90-95% fully functional with Chrome OS. At some point the only "Windows" devices will be held by IT and where absolutely necessary.

                                          If managing with AD yes , but you mentioned authentication in OP so a workable solution. But yeah azure AD isn't a fit with what you want to do.

                                          K 1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender @krisleslie
                                            last edited by

                                            @krisleslie said in Anyone figured out how to ZeroTier with AD?:

                                            So you're suggesting to throw ZeroTier out of the equation (since we're dealing with AD) and then setup L2TP on each router (Site A and Site C) and each client (only a handful of clients for staff but for students maybe a bit of a headache).

                                            Students? you're a school? yeah - no clue there... I've never had to deal with that kind of pain!

                                            I would definitely move everything to a hosted LANLess setup for anything they access.

                                            Do you provide devices to Students as well? Definitely want some kind of mobile device manager for those puppies, I would guess. Dealing with them like you deal with typical corporate users would be challenging, I'm guessing.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 2 / 5
                                            • First post
                                              Last post