first, make a process account that is NOT a domain admin ... just a domain user or less. My guess is that you have the base DN set up to limit where it is searching. Another possibility is the filter has some limite in it. Check the configruation against these > Set up your Auth server as an LDAP server > if your domain controllers have LDAP cers, use LDAP port 636 > enter at least two DCs (if you don't have any LDAP load balancing) > set the LDAP server type to AD > enter username and password for your account (you may need to use LDAP format for the CN) > base dn: CN=yourdomain,CN=com (or use .local or whatever your domain has for the domain suffix) > filter: samAccountName=<USER> or CN=<USER> > basedn: dc=yourdomain,dc=com (this searches the entire directory) > another basedn: cn=users,dc=yourdomain,dc=com (this searches just the users container) > another basedn: ou=SomeOU,dc=yourdomain,dc=com (this searches just an ou named SomeOU) > filter: cn=<GROUPNAME> > Member Attribute: memberOf > check reverse group search > query Attribute: <memberURL> ... View more

You are welcome; good luck! ... View more

Hi Roger, Make also sure that your firewall is not blocking access from your LAN to your SSL device. You might wanna look at your DNS as well so that you have a record to resolve your SSL box's URL from the inside. Make sure that your hostname is set correctly as mails will be sent containing the URL https://hostname/meeting/xxx This is mostly important when you would be sending invitations to the outside world but anyhow ... As Keith said, just give a shout if we can help you. Thanks, Kristof ... View more

Perfect - that was exactly the fix - customer is happy Many Thanks Roger Magician ... View more

Got it working! my USER search had to be changed to <USERNAME> I can now see all my AD! Thanks for your help Roger ... View more

If i understand you right, you use AD-Username AD-Password RSA Token Number for Authentication. Your goal is to use AD Groups to give IPs to the Users according to their membership in one of these AD groups. I use IAS Radiusserver for Authentication of AD Users. In RAS Policies of IAS Server you can define easily Windowsgroup as a condition which has to match. When for example RAS Policy 1 (User must be member of Windows Group "VPN-1") matches, in that RAS Policy under "Profile"... "Advanced" you can define Radius Returning Attribute "Class (25)" with a value like "VPN-1" Then, on IVE Realm Level, Rolemapping, you can use user attributes (what are in this case the radius returning attributes) to map the user to a IVE Role like "VPN-1 Role". If User attribute Class (25) has value "VPN-1" then map the user to IVE Role "VPN-1". And on Resource Policies on IVE...Network Connect... Profiles you can configure mapping of an IP-Network to the IVE User Role "VPN-1". I think «this is the most stable and even easy to configure and maintain solution for your scenario. ... View more

I have found the answer - Detailed Rules! Allow - site subnet Allow - site DNS servers Deny - all other inernal networks Allow - * Works a treat ... View more