Home

Join On-Prem NAS zu AD via ADDS without public IP?

%3CLINGO-SUB%20id%3D%22lingo-sub-1155121%22%20slang%3D%22en-US%22%3EJoin%20On-Prem%20NAS%20zu%20AD%20via%20ADDS%20without%20public%20IP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1155121%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20there%2C%3C%2FP%3E%3CP%3EI'm%20having%20the%20following%20scenario%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20institution%20has%20%26nbsp%3Ba%20(non-profit)%20O365%20subscription%20and%20manages%20all%20users%20via%20Azure%20AD.%20Now%20we%20will%20get%20a%20Synology%20NAS%20at%20one%20of%20our%20sites.%20We%20still%20want%20to%20manage%20users%20and%20privileges%20via%20Azure%20AD%2C%20so%20we%20want%20to%20join%20the%20NAS%20via%20Active%20Directory%20Domain%20Services%20(ADDS)%20to%20our%20AD%20domain.%26nbsp%3B%3C%2FP%3E%3CP%3ETherefore%2C%20as%20far%20as%20I%20understand%2C%20a%20VPN%20(IPSec%3F)%20tunnel%20from%20the%20on-site%20network%20to%20a%20VNET%20in%20Azure%20is%20needed%2C%20so%20that%20the%20NAS%20can%20communicate%20to%20ADDS%2C%20right%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20with%20this%20is%2C%20that%20the%20site%20has%20no%20public%20IP%20address%2C%20as%20it%20lays%20behind%20(multiple)%20CGNATs%20and%20currently%20there%20is%20no%20way%20to%20get%20another%20ISP%2C%20which%20would%20provide%20a%20public%20IP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhich%20options%20do%20I%20have%20to%20connect%20my%20on-prem%20network%20to%20Azure%20VNET%20for%20communication%20to%20ADDS%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1155121%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMigration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1163352%22%20slang%3D%22en-US%22%3ERe%3A%20Join%20On-Prem%20NAS%20zu%20AD%20via%20ADDS%20without%20public%20IP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1163352%22%20slang%3D%22en-US%22%3EHi%20Phlip%2C%3CBR%20%2F%3E%3CBR%20%2F%3EAzure%20AD%20requires%20to%20be%20deployed%20in%20a%20Vnet%20and%20therefore%20will%20require%20connectivity%20between%20your%20DSM%20and%20the%20Azure%20Vnet.%20%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20simplest%20solution%20is%20found%20here.%20%3CA%20href%3D%22https%3A%2F%2Fwww.synology.com%2Fen-global%2Fknowledgebase%2FDSM%2Ftutorial%2FManagement%2FHow_to_join_NAS_to_Azure_AD_Domain%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.synology.com%2Fen-global%2Fknowledgebase%2FDSM%2Ftutorial%2FManagement%2FHow_to_join_NAS_to_Azure_AD_Domain%3C%2FA%3E%20%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20is%20exactly%20what%20I%20have%20done%20with%20my%20home%20network%2C%20with%20the%20exception%20I%20use%20a%20point-to-site%20VPN%20from%20my%20DSM%20to%20my%20Azure%20VPN%20Gateway.%20This%20article%20describes%20a%20point-to-site%20VPN.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvpn-gateway%2Fvpn-gateway-howto-point-to-site-resource-manager-portal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvpn-gateway%2Fvpn-gateway-howto-point-to-site-resource-manager-portal%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAll%20the%20best%2C%20Steve%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hey there,

I'm having the following scenario:

 

My institution has  a (non-profit) O365 subscription and manages all users via Azure AD. Now we will get a Synology NAS at one of our sites. We still want to manage users and privileges via Azure AD, so we want to join the NAS via Active Directory Domain Services (ADDS) to our AD domain. 

Therefore, as far as I understand, a VPN (IPSec?) tunnel from the on-site network to a VNET in Azure is needed, so that the NAS can communicate to ADDS, right?

 

The issue with this is, that the site has no public IP address, as it lays behind (multiple) CGNATs and currently there is no way to get another ISP, which would provide a public IP.

 

Which options do I have to connect my on-prem network to Azure VNET for communication to ADDS?

 

Thanks!

 

 

1 Reply
Highlighted
Hi Phlip,

Azure AD requires to be deployed in a Vnet and therefore will require connectivity between your DSM and the Azure Vnet.

The simplest solution is found here. https://www.synology.com/en-global/knowledgebase/DSM/tutorial/Management/How_to_join_NAS_to_Azure_AD...

This is exactly what I have done with my home network, with the exception I use a point-to-site VPN from my DSM to my Azure VPN Gateway. This article describes a point-to-site VPN. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-...

All the best, Steve


Related Conversations