We took on a customer who requires 2FA for us to login to their network via Anyconnect. Not an issue.
For that to work though we have had to build a completely separate Windows AD server and assign it a public IP address in order for the customer to carry out first factor authentication. That insisted it be on our architecture/services rather than theirs so it is fully managed by us. This public facing server is sat in a DMZ with ACLs limiting what public addresses can access the service and not domain joined.
This obviously it's not ideal for many reasons: AD isn't designed for internet use in this way primarily, but also means that the limited number of people using this extra box have to remember two (usually) different passwords.
Are there any suggestions as to how to improve this setup - ideally without having AD on the internet?
Tia
No comments:
Post a Comment