...
This article describes how the LMC is used to configure the LTA client operating external user administration with Microsoft Entra ID (formerly Azure AD).
| Hinweis |
|---|
There are several default settings and profiles in VPN (e.g. encryption parameters). These are used to set up a VPN connection and allow for an easier configuration by means of prefabricated parameters. When using IKEv2 the remote site DEFAULT in the Connection list has a special role, as the initial connection establishment is carried out via this remote site. When the VPN connection is recognized (e.g. on the basis of the identities), a switch to the actual VPN remote site occurs. The default profiles must not be deleted or modified. Otherwise it is possible, that the VPN connection cannot be established anymore!
|
Requirements:
- Access to the LMC including your own project (subject to charge)
- LANCOM router or LANCOM R&S®Unified Firewall as LTA gateway
- LCOS from version 10.80 REL (download current version)
- LCOS FX as of version 10.13 (download latest version)
- LTA clientclient (download current version)
- Configured and functional local network including Internet connection
- Any web browser for accessing the LMC
- Configured and functional Active Directory in Microsoft Entra ID
- DynDNS provider for the e-mail domain with support of a “TXT Resource Record”
...
1.1.1) In the LMC, go to the Networks menu and click the network that the LTA client should log in to (in this example INTRANET).
1.1.2) In the Overview Overview, click Edit network.
1.1.3) Modify the following parameters and then click Save:
...
1.2) Activate LTA:
1.2.1) In the Security menumenu, go to the the LANCOM Trusted Access tab and click the Activate LTA slider.
...
1.3.3) Under Split Tunnel, select the option Only network traffic to configured networks through tunnel (Split Tunnel) and click the “+” icon to specify the target networks.
| Info |
|---|
If the option All network traffic through tunnelnetwork traffic (LANCOM Trusted Internet Access - Full Tunnel) is enabled, or if there is no target network configured for the option Only network traffic to configured networks through tunnel (Split Tunnel), then all data traffic is transmitted via the VPN tunnel. This means that local resources in the user's network cannot be reached while a VPN tunnel is established. It may also result in slower transmission of Internet data traffic, as this is all transmitted via the LTA gateway. In return the data traffic can be checked via Content Filter and Antivirus on the LTA gateway. |
1.3.4) Enter the target network in CIDR notation and click Save.
1.4) Endpoint Security (optional):
...
- Name: Enter a descriptive name for the identity provider as entered into the LMC.
- Domains: Use the Domains field to enter the domain you are using (in this example mydomain.com).
| Info |
|---|
The configuration is not yet complete as the cannot be saved at this point as the IdP metadata URL still has to be entered. This is read out from Entra ID in step 2.2.8 and stored in the LMC in step 3.1.1. |
...
- TXT resource record: Enter this as the TXT resource record into in the account of your DynDNS provider for the domain.
- LMC Entity URL: Enter this into Entra ID as the Identifier (Entity ID) in step 2.2.4.
- Reply URL: Enter this into Entra ID as the Reply URL (Assertion Consumer Service URL) in step 2.2.4.
...
| Hinweis |
|---|
The application password must be copied in this step. The password will subsequently be obfuscated. In this case of problems, the password must be deleted and a new one created. |
...
2.5.4) Select the permissions Group.Read.All and then click Add permissions.
| Info |
|---|
You can find the authorization permission directly by entering the string string Group.Read. into the search box. |
...
- Name: Enter a descriptive name for the connection target (in this example Web-Server).
- Hostname / IPv4 address / CIDR notation: Enter a DNS name or the IP address of the connection target (in this example 10.0.0.250). Alternatively, you can provide access to an entire network by entering the network address in CIDR notation (e.g. 10.0.0.0/8).
- Protocol: Select the communications protocolprotocol (in this example TCP).
- The following protocols are available:
- TCP
- UDP
- ICMP
- AH
- ESP
- GRE
- TCP+UDP
- All protocols
- The following protocols are available:
- Port: Enter the ports for the communications (in this example 80 and 443). Multiple ports can be separated by a comma (e.g. 80,443). Port ranges can be entered with a hyphen (e.g. 5060-5061).
3.3) Authorization profiles:
...
- Profile name: Enter a descriptive name for the profile (in this example Admin).
- Users / Groups: From the drop-down menu, select a Group from the Active Directory (in this example adminexample Admin). You can optionally select multiple users and assign them the same permissions.
3.3.3) Under Status enable the necessary connection targets for the user (see step 3.2.2) and click Create.
4) Configuration steps in the LTA client:
...