Anyone figured out how to ZeroTier with AD?
-
@krisleslie said in Anyone figured out how to ZeroTier with AD?:
I have two remote sites - no servers at them. All authentication is over the site to site VPN between my firewalls.
So what are you using for authentication? So each site just "talks" to each other over vpn, I gotcha there, but authentication is handled by what?when a PC at the remote site wants to authenticate - it makes a DNS query asking the IP address of the AD controller - that DNS query is sent over the VPN to the main site, the DNS/AD box responds.. then the PC sends the auth request to the AD box's IP address - done.
-
@krisleslie said in Anyone figured out how to ZeroTier with AD?:
@JaredBusch said in Anyone figured out how to ZeroTier with AD?:
Your AD server needs ZT and the ZT adapter needs to be marked as listened on in DNS server setup. The problem with this is that non ZT devices might get the ZT address of the server when they do a DNS look up and that will break things.
This is complicated.
I installed the latest ZT client on my AD server and a few laptops. So, for the most part, they "talk" and can ping etc. I attempted to "sign on" with a new user (not cached) and it won't see it just yet.
Exactly - because the PC doesn't get the proper DNS info back.
-
@krisleslie said in Anyone figured out how to ZeroTier with AD?:
@Dashrender that becomes a shit storm is what it becomes.
what is this in reference too? The ZT at Starbucks?
-
So what was all the fuss about putting the IPv6 Address in at some point in the long thread yal had before?
-
@Dashrender absolutely yea. Because I actually have one staff member who unfortunately has no other option but to go to Starbucks.
-
I had a lifetime deal with Pertino but after they got absorbed that eventually faded away, unfortunately.
-
@krisleslie said in Anyone figured out how to ZeroTier with AD?:
@Dashrender absolutely yea. Because I actually have one staff member who unfortunately has no other option but to go to Starbucks.
What kind of firewalls do you have?
-
Nothing spectacular just UBNT Firewalls.
-
@krisleslie said in Anyone figured out how to ZeroTier with AD?:
Nothing spectacular just UBNT Firewalls.
Perfect - setup a VPN for end user - then have their client Log in with IPSEC
-
Already smell what ya cooking
https://help.ubnt.com/hc/en-us/articles/204949694-EdgeRouter-OpenVPN-Site-to-Site -
@krisleslie said in Anyone figured out how to ZeroTier with AD?:
Already smell what ya cooking
https://help.ubnt.com/hc/en-us/articles/204949694-EdgeRouter-OpenVPN-Site-to-Sitehttps://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server
Your link uses OpenVPN - which you'll have to install on the ER.. L2TP will use the stuff already on the ER
-
Cool time to read
-
So you're suggesting to throw ZeroTier out of the equation (since we're dealing with AD) and then setup L2TP on each router (Site A and Site C) and each client (only a handful of clients for staff but for students maybe a bit of a headache).
-
LOL I see why more schools say "F" windows and go straight to Chrome OS.
-
@krisleslie said in Anyone figured out how to ZeroTier with AD?:
@IRJ Azure AD shouldn't even be in the conversation lol. Thanks though. Azure AD doesn't work like "AD" entirely. We are a Windows office but we are also vested in Linux and Google Chrome OS. I'm leaning very hard to Chrome OS in the future as most of our needs and staff are about 90-95% fully functional with Chrome OS. At some point the only "Windows" devices will be held by IT and where absolutely necessary.
If managing with AD yes , but you mentioned authentication in OP so a workable solution. But yeah azure AD isn't a fit with what you want to do.
-
@krisleslie said in Anyone figured out how to ZeroTier with AD?:
So you're suggesting to throw ZeroTier out of the equation (since we're dealing with AD) and then setup L2TP on each router (Site A and Site C) and each client (only a handful of clients for staff but for students maybe a bit of a headache).
Students? you're a school? yeah - no clue there... I've never had to deal with that kind of pain!
I would definitely move everything to a hosted LANLess setup for anything they access.
Do you provide devices to Students as well? Definitely want some kind of mobile device manager for those puppies, I would guess. Dealing with them like you deal with typical corporate users would be challenging, I'm guessing.
-
Honestly, it's really for authentication. I'm not even sure I want to add a print server to them. At best right now they will have 3-4 printers. They won't ever need a file server. Most work is done via SaaS services. Honestly if we didn't have some jacked up forms built to only work in MS Office, then I'd say the hell with Windows for those users. It's really not even needed.
-
We are a multi hat non-profit. We just so happen to be a post-secondary school too.
-
@krisleslie said in Anyone figured out how to ZeroTier with AD?:
Honestly, it's really for authentication. I'm not even sure I want to add a print server to them. At best right now they will have 3-4 printers. They won't ever need a file server. Most work is done via SaaS services. Honestly if we didn't have some jacked up forms built to only work in MS Office, then I'd say the hell with Windows for those users. It's really not even needed.
Does the online version of Office work for those forms? you can find out by trying a free OneDrive account and edit the file online there.
-
They come to class, use the device for studying, testing & research purposes and go home. No checking device out to go with you home.