Conneting Remote Endpoints with a On-Prem AD

Sure!

This topology is using ZTHA(ziti host access) → ZTNA(ziti network access)

Let’s assume you already have a Ziti Network deployed with a registered identity for the client with an attribute named “ad_clients”, a couple edge-routers deployed for public access with an attribute called “public_routers” & a couple routers inside the destination network deployed and configured with tunnel binding enabled & the resulting identities with the attribute named “ad_router_identities”. The domain you want to connect to is “mynet.contoso.com

Example diagram:

This setup will use the ZDE(Windows) as the ZTHA & client and an Edge Router deployed into the remote network as the ZTNA egress pointing to the domain server.

:exclamation: It’s imperative that the Routers in the remote network have the ability to lookup domain DNS names, so usually those Edge Routers are pointing their DNS configuration directly to a local domain controller.

The main distinction for using wildcard is the service configuration, so here they are expanded.

Here is an example intercept.v1 configuration for the AD service that will be used by the client in this instance. The addresses being intercepted will be *.mynet.contoso.com:

{
   "addresses":[
      "*.mynet.consoto.com"
   ],
   "portRanges":[
      {
         "high":138,
         "low":138
      },
      {
         "high":53,
         "low":53
      },
      {
         "high":389,
         "low":389
      },
      {
         "high":445,
         "low":445
      },
      {
         "high":65535,
         "low":1024
      },
      {
         "high":88,
         "low":88
      },
      {
         "high":636,
         "low":636
      },
      {
         "high":123,
         "low":123
      },
      {
         "high":135,
         "low":135
      }
   ],
   "protocols":[
      "udp",
      "tcp"
   ]
}

An here is an example host.v1 configuration for the AD service that will be used by the egressing router identities in this instance. The allowed addresses & ports must match the intercept configuration & forwarding must be enabled for address/port/protocol for this to function properly:

{
   "allowedAddresses":[
      "*.mynet.contoso.com"
   ],
   "allowedPortRanges":[
      {
         "high":138,
         "low":138
      },
      {
         "high":53,
         "low":53
      },
      {
         "high":389,
         "low":389
      },
      {
         "high":445,
         "low":445
      },
      {
         "high":65535,
         "low":1024
      },
      {
         "high":88,
         "low":88
      },
      {
         "high":636,
         "low":636
      },
      {
         "high":123,
         "low":123
      },
      {
         "high":135,
         "low":135
      }
   ],
   "allowedProtocols":[
      "udp",
      "tcp"
   ],
   "forwardAddress":true,
   "forwardPort":true,
   "forwardProtocol":true
}

Here are the commands to create all of the necessary logical components via Ziti CLI:

Create the intercept.v1 config:

ziti edge create config ad_intercept intercept.v1 '{"addresses":["*.domain.com"],"portRanges":[{"high":138,"low":138},{"high":53,"low":53},{"high":389,"low":389},{"high":445,"low":445},{"high":65535,"low":1024},{"high":88,"low":88},{"high":636,"low":636},{"high":123,"low":123},{"high":135,"low":135}],"protocols":["udp","tcp"]}'

Create the host.v1 config:

ziti edge  create config ad_host host.v1 '{"allowedAddresses":["*.domain.com"],"allowedPortRanges":[{"high":138,"low":138},{"high":53,"low":53},{"high":389,"low":389},{"high":445,"low":445},{"high":65535,"low":1024},{"high":88,"low":88},{"high":636,"low":636},{"high":123,"low":123},{"high":135,"low":135}],"allowedProtocols":["udp","tcp"],"forwardAddress":true,"forwardPort":true,"forwardProtocol":true}'

Create a service making sure to associate the above configs:

ziti edge create service ad_service --configs ad_intercept,ad_host

Create the edge-router-policies to allow client to reach the public edge routers:

ziti edge create edge-router-policy client_public --identity-roles '#ad_clients' --edge-router-roles '#public_routers'

Create the service-edge-router policy to allow all routers to host the service:

ziti edge create service-edge-router-policy allow_all --edge-router-roles '#all' --service-roles '#all'

Create the service bind policy to associate the service with the hosting edge router identities:

ziti edge create service-policy ad_bind Bind --identity-roles '#ad_router_identities' --service-roles '@ad_service --semantic AnyOf '

Create the service dial policy to allow the client access to the service:

ziti edge create service-policy ad_dial Dial --identity-roles '#ad_clients' --service-roles '@ad_service' --semantic AnyOf

Once this the above is complete the remote client should have access to the AD services.

Just in case you need to the commands to also create the client & routers:

Create identity for the client:

ziti edge create identity device my_ad_client --role-attributes ad_clients

Create public edge routers:

ziti edge create edge-router public1 --role-attributes public_routers
ziti edge create edge-router public2 --role-attributes public_routers

Create the private edge routers:

ziti edge create edge-router private1 --role-attributes private_routers
ziti edge create edge-router private2 --role-attributes private_routers

Update the identities created in the above router create with the correct role attributes:

ziti edge update identity private1 --role-attributes ad_router_identities
ziti edge update identity private2 --role-attributes ad_router_identities

Hope this helps.

5 Likes