none
FIM 2010 Active Directory Synchronization over Internet RRS feed

  • Question

  • Hello,

    

    I'd like to ask if FIM Active Directory Management Agents can export AD object data across Internet or will a site-to-site VPN be required?

    

    For example...

    

    I have three forests:

    • FIMdomain.com - a separate AD domain for FIM
    • ForestA.com - Company A forest with users, no trust or network connection to Company B nor FIMdomain
    • ForestB.com - Company B forest with users, no trust or network connection to Company B nor FIMdomain

    Goal: To export all users from ForestA and ForestB into FIMdomain. FIMdomain AD will have the consolidated copy of all the users objects from ForestA and ForestB

    

    Question: In order for FIMdomain to export user objects, will I be required to setup trust or private network connection (e.g. site-to-site VPN) to ForestA and ForestB? Or can I connect via Internet and query using LDAPS? Will I be required to configure trusts?

    

    Thank you.

    

    

    Wednesday, November 19, 2014 6:27 AM

All replies

  • Hello,

    for the AD MA to work you need more ports than just the LDAPs port.

    See this documentation: http://technet.microsoft.com/en-us/library/cc720599%28WS.10%29.aspx

    So for this its better to use a vpn connect, even for security reasons.

    You don't need a trust between the forests in order to import both company domains to FIM and export the accounts to your FIM domain.

    Regards
    Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Wednesday, November 19, 2014 9:37 AM
  • Hi Peter,

    Thanks for your advice. I'd like to clarify on something:

    1. If I only want to communicate via the LDAPs port, can I just enable that port? Or will the others (ie. Kerberos, DNS, Kerberos Change Password) be required?

    2. When you said better to use a vpn connect, does it mean that technically, I can still sync data across forests even if it is via Internet? It is only better to use vpn for additional security?

    Thanks!

    Regards

    Lorraine

    Wednesday, November 19, 2014 10:35 AM
  • Hi,

    no just the LDAP port will NOT be enought for AD MA, you will also need the additional ports for kerberos authentication to work and also the DNS name resolution.

    You can publish all the ports to the internet and then connect the AD MA to that, but from a security perspective you should not do that.

    You can also try to access AD by LDAP only with an generic LDAP connector, but I dont see why someone should to this if there is a perfect MA for that.

    Regards
    Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Wednesday, November 19, 2014 2:18 PM