06-13-2014 01:14 PM
We have a Microsoft 2012 DA installation that enables clients to attach to our internal Infrastructure. The clients all end up with IPv6 addresses, and the DA server uses 6to4 translation for the clients to get to services. Problem I am finding is that when these clients log onto DA, our AD sees them all coming from the same IPv4 address. So I can't enforce proper URL Filtering based on user-id as the user-id that the firewall sees is constantly changing based on the AD logs seen by the agent.
I have attempted to use Captive Portal using NTLM and without just using the portal page and to ignore ID's learnt from the AD logs on the DA subnet, but the result is essentially the same, as once another use logs in, the firewall thinks the IP/User relationship has changed again.
Obviously you can get round this with Terminal Servers or Citrix servers using the specific agent. I have tried to install the agent on DA, but it won't install (Not really that surprising!) What is the correct answer in this instance? I can't convert my network to IPv6 to run DA natively, and I'm not sure what else we can do.
At the moment I think we may have to buy a Proxy just for this purpose which is not really what we want to be doing.
Any help much appreciated!
06-13-2014 01:30 PM
Could you stop the 6to4 translation on the DA servers, instead routing the IPv6 addresses to the Palo Alto and perform the 6to4 NAT on the firewalls - using the PA firewall to allow your clients to access the rest of your network over IPv4?
I'd imagine at least your Captive Portal setup would work then as the PA would be seeing individual, consistent IPv6 addresses.
I guess to get the auth running via AD; you'd need to do get a domain controller or two within the IPv6 zone between the DA and PA boxes...
06-13-2014 02:04 PM
Yes I'm going to see if I can explore that next week, not easy as a few thousand people are on it! Other thing I was going to look at was the syslog collector available in v6 PANOS. We are deploying fresh on V6, so this may provide part of the answer, routing into and out of DA would need to go via the Palo, and yes it could do the v6 NAT. If the syslog works, I then don't need to to try and get a v6 enabled DC in the mix, not sure if my server team could take the headache!
At the moment I'm only worried about web traffic via a simple proxy (Web filtering all done by Palo), so I will configure a v6 entry into dns for it, and get DA to route out via the Palo to the proxy. if syslogging works, probably don't need anything else to confirm the user-id.
I wonder if it would compare that user-id to the groups used in AD though? I think that's the closest to an answer if DA can syslog me what I need!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!