Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 7283 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active directory Authentication: how to create a failover configuration with 2 DC?

gario

i've configured Active Directory Authentication on a XG330 with 17.0.5 MR5.

When configuring AD Authentication, you are asked to specify only one server name/ip address.

Most of my customers have at least 2 Domain Controller, so how to create a configuration that can manage a DC failure?

Do i have to create a second configuration with the other DC, or just create a single configuration with the domain name instead of the DC's ip adress ?



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to lferrara

    Well, the kb is about STAS and SSO, i've already implemented that configuration and it works for "internal" authentication

    The problem is with SSLVPN and User Portal, when connecting from WAN. Authentication from WAN does'nt work with SSO, either authentication to user portal.

    When i login in user portal with my AD credentials, the firewalll is configured with AD Authentication.

    so i need that configuration to be balanced through my 2 Domain Controllers, not STAS/SSO

Children
  • 0 in reply to gario

    Hi,

     

    I also would like to know how to set up Active Directory Authentication with 2 Domain Controllers.

     

    Currently, if a user gets their password wrong, it will authentication against both AD Servers and lock their accounts.

     

    I am only using AD Authentication to the User Portal and SSL VPN so I don't think STAS is what I want to do.

    In UTM I would have set up authentication using an Availability Group, but this option is not available to me in XG

  • 0 in reply to andy liddle

    I'm just setting up an XG box to replace my UTM, so I have no idea if this is best practice or how reliable it will be in the long term yet.

    I've created a single 'Server' under Authentication > Servers, but for the Server IP Address I've entered the FQDN of the active directory.  DNS will use round-robin to resolve this to one of the domain controllers in the domain.

    This isn't a 'failover' solution, but it will distribute the load evenly amongst all the DC's, and will automatically update as DC's are added/removed from the Domain.