Hi Edward,
I know the Cisco VPN Client that we use (and its successor, Cisco AnyConnect) can be installed in a mode that launches the VPN client before the Windows login screen comes up. (The user can decline the VPN connection if desired.) This "VPN-before-login" functionality would allow the client laptop to have a connection to your internal AD DC's to authenticate the user/pass and prompt for change password if needed. Putting DC's out on even a semi-protected network is a Very Bad Idea (tm) if you ask me... Best, Will From: [email protected] [mailto:[email protected]] On Behalf Of Edward Ned Harvey (lopser) Sent: Thursday, January 24, 2013 4:52 PM To: LOPSA Technical Discussions ([email protected]) Subject: [lopsa-tech] AD Mobile Users I have my own ideas, but I'm not the only person in the organization, so I want to ping you guys and see what you think, before I raise certain subjects with the other IT folks. You have an AD organization, and you need to support some users who work almost exclusively remotely. You were able to join their laptop to the domain upon initial deployment, and they logged in for the first time while in the LAN. They set their initial password, then they left the building, and now the question is ... What next? Rather than talk about anything as it stands within the company today, I want to hear the most creative possible solutions, not just how *would* you design the solution, but how *might* you, if you're trying to think as creatively and full-featured as possible, no walls, without compromising security? For things like password resets, they can do it via the OWA interface, but then there needs to be a way for the AD server to propagate the change to the client. The client can have a VPN client. It can launch and connect automatically and non-interactively. It can have a split tunnel or a non-split tunnel. User can simply press Ctrl-Alt-Del to change their password. This is probably fine, to just support users that already have systems deployed to them. It's kind of difficult for a user to login to a laptop that they haven't previously logged into - but I think that's a limitation that is generally acceptable, plus it's not *impossible* to work around. Could it be? Maybe it's actually possible to safely deploy an AD server into a DMZ or on the WAN, which their clients use for things like passwords resets and stuff? Literally available on the public internet? I certainly have reservations from a security standpoint. Maybe those can be alleviated somehow? Some day, IPv6 will be prevalent. Support for IPSec or some other encryption/security protocols, essentially create VPN-like security on world-routable IP addresses. It might be years away, that it's widely enough deployed to be considered a truly useful potential solution for this sort of problem, but the expectation is, someday the client shouldn't really care about whether it's on a LAN or WAN. Someday the client should be able to securely connect directly to the world routable IP address (via dns name) of the server, regardless of physical location in the world. So if this logic stands up, what's to prevent the same truth from applying to IPv4, as long as the server is made publicly routable? Either way, you put the server behind a firewall, and you only allow certain protocols to reach it. Those protocols are encrypted, aren't they? Even if IPv4? (I actually don't know what protocols are necessary to support the user.) Another possibility ... It's expected that each user will have a "home" somewhere. We could give them a hardware VPN appliance, with wifi that's only accessible from their laptop. While they might not be in the office every day, you bring the office LAN to them. As long as they return to their home periodically, say, at least once every 2 weeks or so, they should have their needs met. Any other ideas?
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
