Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote
-
@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 Can you use 2FA on the VPN connection when doing it like that? Otherwise that would be a major concern.
Another issue with forced VPN is that if your VPN is down then the users can't login at all and can't work. That's a lot of eggs in the same basket. Does your company have HA firewalls, redundant internet, redundant power etc?
Otherwise using the cached domain password the users could login locally. Then they would be able to use their computers with local files and software and also have access to online resources such as M365 and whatever else you use.
No, you cannot use 2FA from within Windows Login screen with Sonicwall NetExtender.
-
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 Can you use 2FA on the VPN connection when doing it like that? Otherwise that would be a major concern.
Another issue with forced VPN is that if your VPN is down then the users can't login at all and can't work. That's a lot of eggs in the same basket. Does your company have HA firewalls, redundant internet, redundant power etc?
Otherwise using the cached domain password the users could login locally. Then they would be able to use their computers with local files and software and also have access to online resources such as M365 and whatever else you use.
No, you cannot use 2FA from within Windows Login screen with Sonicwall NetExtender.
Actually you can. You just click the icon to pull up NetExtender and punch your creds in, then it asks you for the TOTP.
-
@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 Can you use 2FA on the VPN connection when doing it like that? Otherwise that would be a major concern.
Another issue with forced VPN is that if your VPN is down then the users can't login at all and can't work. That's a lot of eggs in the same basket. Does your company have HA firewalls, redundant internet, redundant power etc?
Otherwise using the cached domain password the users could login locally. Then they would be able to use their computers with local files and software and also have access to online resources such as M365 and whatever else you use.
Yes, the Sonicwall supports TOPT codes on the connection, thankfully. The VPN connection wouldn't be forced, though users would obviously need a continuous VPN connection to use apps on the local network. We do also have O365 so they aren't dead in the water if the VPN went down for some reason. Yes, I have redundant firewalls, Internet and power, etc. I have as much redundancy and failover as possible/makes sense to. Internet goes down maybe twice a year since I've been there (5+ years) so it's not really a concern at all. Honestly, this is probably the best setup currently for us in our current state.
@JasGot pretty much helped me the most here to solve my problem, which was just something simple I had overlooked.
/thread
-
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dbeato said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 Can you use 2FA on the VPN connection when doing it like that? Otherwise that would be a major concern.
Another issue with forced VPN is that if your VPN is down then the users can't login at all and can't work. That's a lot of eggs in the same basket. Does your company have HA firewalls, redundant internet, redundant power etc?
Otherwise using the cached domain password the users could login locally. Then they would be able to use their computers with local files and software and also have access to online resources such as M365 and whatever else you use.
No, you cannot use 2FA from within Windows Login screen with Sonicwall NetExtender.
Actually you can. You just click the icon to pull up NetExtender and punch your creds in, then it asks you for the TOTP.
yea, you are right. I was more thinking the SSO MFA SSL VPN but the TOTP either via email (not as secure) or the Authenticator app works well.
-
I was just thinking, there's not really currently a way I can lock down access to specific computers that can access the VPN. I can give assess to only select employees but what's to stop an employee from downloading NetExtender on a non-company managed device and accessing the network that way?
-
@dave247 I use certificates to only allow company owned and managed devices to connect.
-
@voip_n00b said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 I use certificates to only allow company owned and managed devices to connect.
Interesting, can you elaborate more on how you achieve that?
-
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@voip_n00b said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 I use certificates to only allow company owned and managed devices to connect.
Interesting, can you elaborate more on how you achieve that?
It's common to have certificates with VPN.
A OpenVPN client for example without any MFA is usually setup so that it needs a client certificate and a username and a password as well as the connection info. The same goes for Cisco AnyConnect and others.
The VPN connection uses mutual authentication so the client authenticate that the server is who he is suppose to be and the server authenticate the client is who he says he is.
If you install the certificate on your company devices you can't connect to the VPN just by downloading and installing the client on another computer and enter the credentials. Because you don't have the certificate.
So that's how you can control what device is allowed to connect. For more security the certificates can also be stored on smart cards, hardware devices or even the TPM module inside the computer.
You should have something similar on NetExtender. Look for client certificate or client authentication.
Another thing with certificates is that you can prevent VPN access by revoking the client's certificate. And also certificates expire so you can give someone a short term access if you like.
-
@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@voip_n00b said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:
@dave247 I use certificates to only allow company owned and managed devices to connect.
Interesting, can you elaborate more on how you achieve that?
It's common to have certificates with VPN.
A OpenVPN client for example without any MFA is usually setup so that it needs a client certificate and a username and a password as well as the connection info. The same goes for Cisco AnyConnect and others.
The VPN connection uses mutual authentication so the client authenticate that the server is who he is suppose to be and the server authenticate the client is who he says he is.
If you install the certificate on your company devices you can't connect to the VPN just by downloading and installing the client on another computer and enter the credentials. Because you don't have the certificate.
So that's how you can control what device is allowed to connect. For more security the certificates can also be stored on smart cards, hardware devices or even the TPM module inside the computer.
You should have something similar on NetExtender. Look for client certificate or client authentication.
Another thing with certificates is that you can prevent VPN access by revoking the client's certificate. And also certificates expire so you can give someone a short term access if you like.
Nice, I will check it out. I have opened a few tickets and asked around other places regarding NetExtender and nobody has said anything about this, so I don't know if its possible with the Sonicwall NSA / NetExtender setup, but I will find out.
