My work is going to roll out a new application (HR, Payroll, etc.) called springbrook to our remote employees. The application runs on one of our physical servers (Win 2008 R2) and to use it locally, I had to map a network drive to the server on the local employee's computer. I created a desktop shortcut to the app so the user doesn't have to go inside the mapped drive and run it that way. They just click on the desktop shortcut.
Springbrook uses the LDAP protocol (in our case Active Directory) to authenticate the user trying to login against the login id’s already inside of Springbrook, so when the session is established it requires that the user logs in and is authenticated to the domain which in turn makes the connection to the LDAP connector which verifies user info and allows them access.
Our hardware firewall is a Sonicwall TZ210 device. I have the VPN setup in that device. At the remote site on the user's workstation who will be using Springbrook I have correctly setup the sonicwall VPN client. At the remote worksation I can establish a connection to our network, map the network drive and bring up the Springbrook login page. When I put in the credentials, a Springbrook error message pops up telling me I put in an incorrect password. That's not the case because I know the credentials are correct.
I contacted Springbrook about this and the tech told me that somehow the authentication isn't happening in the VPN tunnel.
Okay. I knew that, haha
He then said that they use Citrix for their remote employees. I'm sure Citrix has a very nice WebApp tool, but if I can do this through a VPN tunnel and save us money that would be great.
Any suggestions my fellow techies?
Server: Win 2008 r2 Firewall\VPN: Sonicwall tz210 Active Directory Domain
I've enabled LDAP in our firewall and got the same results. That didn't work. Other than that, I haven't tried anything. The remote workstation runs the same "stuff" as the local workstations that are running springbrook just fine.
You need to run a packet capture to determine if the remote client is successfully performing an LDAP bind. If so, since you may be sending the username and password in plain text, so that would make it fairly easy to validate.
You may want to localize this further by trying to establish an LDAP bind using a tool such as LDP.exe from a remote VPN client. If you cannot bind and authenticate using LDP the same way that the application is binding and authenticating, that would point you in the right direction.
Also, considering that this has not been tested, it would not surprise me that even if you do get it to function, the performance may be exceedingly poor.
Use Windows RRAS as the VPN server. The users will then authenticate to the domain via the VPN instead of authenticating to the SonicWall via the VPN. When they launch the app it should use the AD credentials of the VPN user, which is their AD account.