topic Re: Mobile Access setup, failing to integrate AD in SASE and Remote Access

Mobile Access setup, failing to integrate AD

796570686578 — Wed, 18 Oct 2023 10:28:26 GMT

Hey everyone,

In a Lab environment I am trying to setup Mobile Access with AD Integration so I can test some configurations for a customer.

I setup a Gateway and Management Server using R81.20 and Jumbo Hotfix Take 26. Also I have an AD Controller on a different subnet. ( See my professional drawing of the topology in the attachments)

Mgmt: 172.16.101.10

FW: 172.16.101.30 & 172.16.102.30

DC: 172.16.102.100

Now to the actual problem:

I open the Firewall Object in Smart Console -> check "Mobile Access" -> select allowed clients to connect -> Active Directory Integration.

Now in the Active directory Integration I specify all the required parameters

- Domain Name

- Username

- Password

- Domain Controller

and then hit Connect. After some time I get an error message saying " Smart Dashboard could not connect - Could not communicate with server".

Now I have obviously checked the following:

- Configured Firewall Rule to allow any traffic to and from DC

- Necessary routes are in place

- No NAT rules

- I can ping between MGMT and DC without any issues

- No relevant Logs in Smart Dashboard

- Performed a tcpdump on the Management Server and the Firewall on all interfaces, there is not traffic to my DC(172.16.102.100) at all?!?!

Now what is interesting, I configured an LDAP Account Unit Object for the same DC and it works without any issues...

Now I am pretty much at a loss on why it is not working.. Do you have any ideas on what my issue might be?

Thanks!

Re: Mobile Access setup, failing to integrate AD

G_W_Albrecht — Wed, 18 Oct 2023 10:42:45 GMT

sk113747: How to troubleshoot Identity Awareness AD Query connectivity issues

sk100406: How to use the 'test_ad_connectivity' tool

Re: Mobile Access setup, failing to integrate AD

796570686578 — Wed, 18 Oct 2023 11:54:22 GMT

Thanks, will check it out!

Re: Mobile Access setup, failing to integrate AD

796570686578 — Wed, 18 Oct 2023 12:21:14 GMT

So I checked the SKs you mentioned.

test_ad_connectivity test -> Success

( :status (SUCCESS_LDAP_WMI) :err_msg ("ADLOG_SUCCESS;LDAP_SUCCESS") :ldap_status (LDAP_SUCCESS) :wmi_status (ADLOG_SUCCESS) :timestamp ("Wed Oct 18 14:09:57 2023") )

adlog a dc -> can't test this since I am not able to configure the DC for AD Query
ldapsearch -> Success

I just don't understand why these tests work, why I can configure the Account Unit, but it does not work when configuring a Blade like Mobile Access or Identity Awareness...

Re: Mobile Access setup, failing to integrate AD

G_W_Albrecht — Mon, 23 Oct 2023 12:12:18 GMT

Better contact TAC to get this resolved!

Re: Mobile Access setup, failing to integrate AD

796570686578 — Mon, 23 Oct 2023 13:07:31 GMT

I was able to get it to work. The VM of my Management Server and AD also had an Interface on a different Subnet which acted as a Management Interface. This was also the Primary IP of my Management Server and once I integrated AD via the IP on that Interface, it worked on the first try...