Description:

LANCOM Trusted Access (LTA) is the trusted network access security solution for enterprise networks. It enables secure and scalable network access for employees in the office, at home, or on the road, thus protecting modern hybrid working from anywhere at any time.

The LANCOM Trusted Access solution adapts to increasing security requirements in your organization. It supports not only classic full network access as a cloud-managed VPN client, but also the migration to a zero-trust security architecture with comprehensive network security. In the latter case, users receive granular access rights only to those applications that have been assigned to them (zero-trust principle). Existing systems for administering users and user groups (Active Directory) can be fully integrated into the LANCOM Management Cloud (LMC). For smaller networks, the LMC alternatively offers internal user administration.

This article describes how the LMC is used to configure the LTA client operating external user administration with Microsoft Entra ID (formerly Azure AD).

There are several default settings and profiles in VPN (e.g. encryption parameters). These are used to set up a VPN connection and allow for an easier configuration by means of prefabricated parameters.

When using IKEv2 the remote site DEFAULT in the Connection list has a special role, as the initial connection establishment is carried out via this remote site. When the VPN connection is recognized (e.g. on the basis of the identities), a switch to the actual VPN remote site occurs.

The default profiles must not be deleted or modified. Otherwise it is possible, that the VPN connection cannot be established anymore!


You can find scripts to restore the default VPN settings in the following Knowledge Base article:

Restoring default settings in VPN


Requirements:

The DynDNS service integrated in the LMC unfortunately does not support a “TXT Resource Record” and therefore cannot be used.

Procedure:

1) Initial configuration steps in the LMC:

1.1) Activate the VPN function:

1.1.1) In the LMC, go to the Networks menu and click the network that the LTA client should log in to (in this example INTRANET).

Screenshot of a network management dashboard displaying various statuses such as IP range, VLAN, Internet, VPN, and hotspot security settings.

1.1.2) In the Overview, click Edit network.

Screenshot of a DY INTRANET configuration interface displaying options such as WiFi switches, add-ins, variables, with statuses and settings for network properties like VLAN, VPN, and internet access.

1.1.3) Modify the following parameters and then click Save:

  • Link devices via secure connection (VPN): Set a checkmark to enable the VPN functionality.
  • Central-site IP addresses or DNS names: Enter the public IP address or public DNS name of the router. This must be specified as soon as the VPN function is activated.

Image of a network configuration interface displaying settings for DHCP, DNS, routing, subnet management, and VPN options for an intranet with the name 'INTRA'.


1.2) Activate LTA:

1.2.1) In the Security menu, go to the LANCOM Trusted Access tab and click the Activate LTA slider.

Screenshot of a dashboard security interface displaying LANCOM Trusted Access configuration settings for managing user group permissions and access to network services and applications.

1.2.2) Click Activate.

Image displays a software interface for LANCOM Trusted Access, featuring options to activate a starter license and configure user group settings, with a button to cancel the operation.


1.3) Client configuration:

The Client configuration is used to store basic parameters such as the address of the LTA gateway. These settings apply globally and cannot be configured for individual users.

1.3.1) Go to the Client configuration tab and modify the following parameters:

  • Accessible network: From the drop-down menu, select the network edited in step 1.1 that the LTA client should log in to (in this example INTRANET).
  • Gateway IP or domain: Enter the public IP address or DNS name of the router where the LTA client can reach the router (in this example 81.81.81.81).
  • Trusted Access Client IP network: Enter the network address of a network in CIDR (Classless Inter Domain Routing) notation. The LTA client is assigned an IP address from this network (in this example 10.0.0.0/8). In most cases the Accessible network is used for this, but it is also possible to specify a different network.
  • Tunneled domains for DNS resolution: Enter Domains which should always be transmitted via the VPN tunnel (in this example *.intern).

The * wildcard can be used for the tunneled domains for DNS resolution. This represents any number of characters. Multiple entries can be separated by a comma.

Screenshot of an LTA client configuration menu on an intranet interface.

1.3.2) Modify the following parameters if required:

  • Allow AVC mode in LTA client: If this option is enabled, the user can switch between the LTA client and the Advanced VPN client. This can be helpful, for example, if there are VPN connections to customers in addition to the LTA access to the company.
  • Enable LTA client self-sustaining continued operation: If standalone continued operation is enabled, the LTA client is able to establish a VPN connection for the specified period of time, even if the LMC cannot be reached.

Image displaying a technical configuration menu related to enabling AVC mode in LTA client, license requirements for local AVC in LTA client, options to sustain continued operation for LA clients, and the validity period of an LTA client certificate.

1.3.3) Under Split Tunnel, select the option Only network traffic to configured networks through tunnel (Split Tunnel) and click the “+” icon to specify the target networks.

If the option All network traffic (LANCOM Trusted Internet Access - Full Tunnel) is enabled, or if there is no target network configured for the option Only network traffic to configured networks through tunnel (Split Tunnel), then all data traffic is transmitted via the VPN tunnel. This means that local resources in the user's network cannot be reached while a VPN tunnel is established. It may also result in slower transmission of Internet data traffic, as this is all transmitted via the LTA gateway. In return the data traffic can be checked via Content Filter and Antivirus on the LTA gateway.

Screenshot of a LANCOM device interface showing options for Tunnel Mode, including All Network Traffic and Trusted Internet Access Full Tunnel settings.

1.3.4) Enter the target network in CIDR notation and click Save.

Image showing a configuration menu for LANCOM Trusted Internet Access with options for Full Tunnel and Split Tunnel network settings.


1.4) Endpoint Security (optional):

Endpoint Security can optionally be activated. The LTA client then checks whether the specified parameters are met and only then will the VPN connection be established. These settings apply globally and cannot be configured for individual users.

1.4.1) Go to the Endpoint Security tab, adjust the following parameters and click Save:

  • Enable endpoint verification: Enable the option with the slider.
  • Allowed OS: If required, select the permitted operating systems as well as the minimum and maximum build versions (in this example, Windows 10 or Windows 11 is assumed).
  • Anti-Virus: If necessary, enable the anti-virus function check on the user's computer (in this example the option used is enabled and up-to-date).
  • Firewall: If necessary, enable the firewall function check on the user's computer (in this example the option used is enabled, which checks whether a firewall is active).

Screenshot displaying an Endpoint Security configuration menu with options for enabling endpoint verification, specifying allowed operating systems versions, and settings for antivirus and firewall requirements.


1.5) User administration:

The User administration is where you enter your own domain. Users can be connected to an Active Directory, if available, or they can be configured in the LMC.

1.5.1) Go to the User administration tab and enable the option IdP-managed.

Screenshot of a security software interface displaying various configuration options including Authorization Profiles, Connection Targets, User Administration, Endpoint Security, and Client Configuration, with detailed options for managing user and group information through Microsoft Entra ID and LMC.

1.5.2) Modify the following parameters:

  • Name: Enter a descriptive name for the identity provider as entered into the LMC.
  • Domains: Use the Domains field to enter the domain you are using (in this example mydomain.com).

The configuration cannot be saved at this point as the IdP metadata URL still has to be entered. This is read out from Entra ID in step 2.2.8 and stored in the LMC in step 3.1.1.

Image of a technical configuration menu showing options for authorization profiles, endpoint security client configuration, Microsoft Entra ID as an identity provider, and settings for SAML single sign-on.

1.5.3) Click Finalize Setup.

Screenshot of a user interface guiding to finalize SSO setup, indicating actions required in external components to complete the process.

1.5.4) Copy the following parameters and save them in a text file.

  • TXT resource record: Enter this as the TXT resource record in the account of your DynDNS provider for the domain.
  • LMC Entity URL: Enter this into Entra ID as the Identifier (Entity ID) in step 2.2.4.
  • Reply URL: Enter this into Entra ID as the Reply URL (Assertion Consumer Service URL) in step 2.2.4.

Screenshot of a domain setup interface displaying instructions for finalizing Single Sign-On (SSO) setup, including domain ownership verification steps and DNS TXT resource record configuration details.



2) Configuration in Microsoft Entra ID:

2.1) Create your own application:

2.1.1) Open the configuration menu in Entra ID and go to the Enterprise applications menu.

Screenshot of a technical user interface displaying various system management options including user groups, external identities, roles and administrators, and delegated admin partners.

2.1.2) Under Manage, select the option All applications and click New application.

Screenshot of an enterprise user interface displaying various application management options, including application registrations and settings like name, object ID, and certificate expiration, all set up to use Microsoft Enta as their identity provider.

2.1.3) Click Create your own application.

Screenshot of Microsoft Entra App Gallery interface showing options to browse, deploy, and configure single sign-on and automated user provisioning for various applications, with features for publishing and discovering applications within the gallery.

2.1.4) Modify the following parameters and then click Create:

  • What's the name of your app?: Enter a descriptive name for the app (in this example LTA-App).
  • What are you looking to do with your application?: Select the option Integrate any other application you don't find in the gallery (Non-gallery).

Screenshot of a user interface for configuring a custom application, including options for setting up Application Proxy for secure, remote access and registering an application for integration.


2.2) Set up single sign-on:

2.2.1) In the app you just created, click 2. Set up single sign on.

Screenshot of an enterprise application management interface showing deployment plan properties, user roles, user provisioning options, single sign-on setup, and custom security attributes configurations.

2.2.2) Select the option SAML.

Screenshot of an enterprise application single sign-on management interface showing options for deployment plan, user properties, and security settings including SAML disabled status.

2.2.3) In the field Basic SAML Configuration, click Edit.

Screenshot of an enterprise application's user interface for configuring single sign-on with SAML, showing various fields like Entity ID, Reply URL, and security settings for enhanced user experience and security.

2.2.4) Enter the parameters copied in step 1.5.4 and click Save.

  • Identifier (Entity ID): Enter the LMC Entity URL.
  • Reply URL (Assertion Consumer Service URL): Enter the Reply URL .

Image showing a configuration screen for Basic SAML Configuration with fields for Identifier Entity ID and Reply URL, specific to Microsoft Entra ID settings for single sign-on applications.

2.2.5) In the field Attributes & Claims, click Edit.

Screenshot of a configuration menu for setting up Single Sign-On with SAML, featuring several fields like Reply URL, sign-on URL, email address, and user groups.

2.2.6) Click Add a group claim.

A screenshot of a user interface displaying options for adding and configuring claims for user identity verification, including attributes for user principal name, email address, given name, and surname.

2.2.7) Select the option All groups and click Save.

Screenshot of Microsoft Entra ID configuration settings for managing group claims in SAML tokens, featuring options for security groups, directory roles, and application-assigned groups.

2.2.8) In the SAML Certificates field, copy the App Federation Metadata Url and save it in a text file. This is stored in the LMC as the IdP Metadata URL in step 3.1.1.

Image showing a complex technical user interface with various options for token signing certificates, status checks, and download links for certification and federation metadata.


2.3) Application registration:

2.3.1) Go to the menu App registrations.

Screenshot of a technical user interface displaying menu options for system overview, preview features, problem diagnostics, user settings, external identities, roles and administrators, delegated admin partners, enterprise applications, devices, and identity governance.

2.3.2) On the All applications tab, click the app created in step 2.1.4.

A screenshot showing a technical configuration menu related to Azure Active Directory service upgrades, with options for troubleshooting, downloading, previewing features, and managing applications and authentication libraries.

2.3.3) Click Add a certificate or secret.

Screenshot of a Microsoft identity platform configuration menu showing options for managing application credentials, API permissions, redirect URLs, and various authentication settings.

2.3.4) Click New client secret.

Image of a technical user interface displaying options for managing application registrations, certificates, client secrets, and federated credentials, including settings for token configurations, permissions, and security protocols.

2.3.5) Modify the following parameters and then click Add:

  • Description: Enter a descriptive name for the application password (in this example LTA-Secret).
  • Expires: Select a suitably long validity period (in this example 24 months). 

After the validity expires, there is no further synchronization of Active Directory users with the LMC. Then a new secret must be created and stored in the LMC.

Screenshot of a user interface displaying the option to add a client secret with a description field labeled as UaSecret.

2.3.6) Copy the application password from the Value field and save it in a text file.

The application password  must be copied in this step. The password will subsequently be obfuscated. In this case, the password must be deleted and a new one created.

Screenshot of a technical user interface showing fields related to application identity verification and token request, including sections for application password and secret values.


2.4) Copy application ID and directory ID:

In the app, go to the Overview. Copy the following two parameters and save them in a text file:

  • Application (client) ID: This is entered as the Application-ID (Client-ID) in step 3.1.2.
  • Directory (tenant) ID: This is entered as the Directory-ID (Tenant-ID) in step 3.1.2.

Screenshot of a technical configuration interface showing various application settings including client credentials, authentication options, application IDs, and API permissions.


2.5) API permissions:

2.5.1) Go to the menu API permissions and click Add a permission.

Screenshot of a software interface showing settings for API permissions management, including columns for admin consent requirements and user customization options for application permissions.

2.5.2) On the Microsoft APIs tab, select the option Microsoft Graph.

Screenshot of a configuration menu for requesting API permissions, featuring options to select various Microsoft APIs, including Microsoft Graph, and access to services such as Office, Azure, Intune, Outlook, Exchange, OneDrive, SharePoint, and more.

2.5.3) Select the option Application permissions.

Screenshot of an API permissions request interface showing options for application and delegated permissions.

2.5.4) Select the permissions Group.Read.All and then click Add permissions

You can find the permission directly by entering the string Group.Read. into the search box.

Image displaying a user interface for configuring API permissions, including options for delegated and application permissions, with fields for selecting specific permissions and indicating whether admin consent is required.

2.5.5) Click Grant admin consent for <Active-Directory>.

Screenshot of a software interface showing the permissions configuration menu for an application, with options for integration, token configuration, and granting admin consent visible.

2.5.6) Confirm the prompt by clicking Yes.

Screenshot of a user interface prompt asking for admin consent to grant permissions for all accounts in the DEMOLTATEST domain, with an option to update existing records based on the listed permissions.



3) Further configuration steps in the LMC:

3.1) Configuration of user administration:

3.1.1) Go back to the LTA user administration in the LMC and fill out the field IdP Metadata URL with the App Federation Metadata Url copied in step 2.2.8.

Screenshot of a technical configuration menu for Single Sign-On (SSO) setup featuring LAactivated, user administration, and various managed IDP SAML options.

3.1.2) Enter the following parameters under IdP credential to sync with AD:

  • Application-ID (Client-ID): Enter the Application (client) ID copied in step 2.4.
  • Client Secret: Enter the application password copied in step 2.3.6.
  • Directory-ID (Tenant-ID): Enter the Directory (tenant) ID copied in step 2.4.

Image showing a technical configuration interface with fields for Application ID, Client ID, Client Secret, Directory ID, and Tenant ID, partially obscured by unclear text.

3.1.3) After synchronizing with Microsoft Entra ID, select the primary group that should be used to enable LTA and activate the authorization profile for this group. Then click Save

An LTA license is required for every user in this group.

Screenshot of a technical configuration menu for user group management and licensing access, featuring options for synchronization and authorization profiles.


3.2) Connection targets:

The Connection targets menu is used to create resources that can be assigned to the users (see step 3.3).

3.2.1) Go to the Connection targets tab and click Add connection target.

Image showing a blurred or incomplete view of a technical configuration interface with indistinct text related to connection settings.

3.2.2) Modify the following parameters and then click Save:

  • Name: Enter a descriptive name for the connection target (in this example Web-Server).
  • Hostname / IPv4 address / CIDR notation: Enter a DNS name or the IP address of the connection target (in this example 10.0.0.250). Alternatively, you can provide access to an entire network by entering the network address in CIDR notation (e.g. 10.0.0.0/8).
  • Protocol: Select the communications protocol (in this example TCP).
    • The following protocols are available:
      • TCP
      • UDP
      • ICMP
      • AH
      • ESP
      • GRE
      • TCP+UDP
      • All protocols
  • Port: Enter the ports for the communications (in this example 80 and 443). Multiple ports can be separated by a comma (e.g. 80,443). Port ranges can be entered with a hyphen (e.g. 5060-5061).


3.3) Authorization profiles:

The Authorization profiles are used to link users to the connection targets. Different users can be assigned to individual connection targets. The LMC uses these settings as a basis to automatically create firewall rules that allow communication to the connection targets.

3.3.1) Go to the Authorization profiles tab and click Add authorization profile.

Screenshot of a security configuration interface displaying sections like Authorization Profiles, Connection Targets, User Administration, with a notice indicating no authorization profiles found.

3.3.2) Enable the authorization profile using the slider and adjust the following parameters:

  • Profile name: Enter a descriptive name for the profile (in this example Admin).
  • Users / Groups: From the drop-down menu, select a Group from the Active Directory (in this example Admin). You can optionally select multiple users and assign them the same permissions.

A screenshot of a user interface for creating and managing authorization profiles, specifying user groups and connection targets within a system.

3.3.3) Under Status enable the necessary connection targets for the user (see step 3.2.2) and click Create.



4) Configuration steps in the LTA client:

4.1) In the LTA client, click Settings and select the option LMC Domain.

Screenshot of the BLANCoMTrusteaAccessClient interface on a digital screen.

4.2) Change the following parameters:

  • URL: Enter the URL lancom.de .
  • Domain: Enter the e-mail domain that you stored in the LMC in step 1.5.1 (in this example mydomain.com).

Screenshot of a user interface showing fields for entering a URL and Domain.

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH