I have my own ideas, but I'm not the only person in the organization, so I want to ping you guys and see what you think, before I raise certain subjects with the other IT folks.
You have an AD organization, and you need to support some users who work almost exclusively remotely. You were able to join their laptop to the domain upon initial deployment, and they logged in for the first time while in the LAN. They set their initial password, then they left the building, and now the question is ... What next? Rather than talk about anything as it stands within the company today, I want to hear the most creative possible solutions, not just how *would* you design the solution, but how *might* you, if you're trying to think as creatively and full-featured as possible, no walls, without compromising security? For things like password resets, they can do it via the OWA interface, but then there needs to be a way for the AD server to propagate the change to the client. The client can have a VPN client. It can launch and connect automatically and non-interactively. It can have a split tunnel or a non-split tunnel. User can simply press Ctrl-Alt-Del to change their password. This is probably fine, to just support users that already have systems deployed to them. It's kind of difficult for a user to login to a laptop that they haven't previously logged into - but I think that's a limitation that is generally acceptable, plus it's not *impossible* to work around. Could it be? Maybe it's actually possible to safely deploy an AD server into a DMZ or on the WAN, which their clients use for things like passwords resets and stuff? Literally available on the public internet? I certainly have reservations from a security standpoint. Maybe those can be alleviated somehow? Some day, IPv6 will be prevalent. Support for IPSec or some other encryption/security protocols, essentially create VPN-like security on world-routable IP addresses. It might be years away, that it's widely enough deployed to be considered a truly useful potential solution for this sort of problem, but the expectation is, someday the client shouldn't really care about whether it's on a LAN or WAN. Someday the client should be able to securely connect directly to the world routable IP address (via dns name) of the server, regardless of physical location in the world. So if this logic stands up, what's to prevent the same truth from applying to IPv4, as long as the server is made publicly routable? Either way, you put the server behind a firewall, and you only allow certain protocols to reach it. Those protocols are encrypted, aren't they? Even if IPv4? (I actually don't know what protocols are necessary to support the user.) Another possibility ... It's expected that each user will have a "home" somewhere. We could give them a hardware VPN appliance, with wifi that's only accessible from their laptop. While they might not be in the office every day, you bring the office LAN to them. As long as they return to their home periodically, say, at least once every 2 weeks or so, they should have their needs met. Any other ideas?
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
