Active Directory Authentication Through a BOVPN Tunnel
If you have Fireboxes at two sites connected with a branch office VPN tunnel, and you have an Active Directory server at one of the sites, you can enable users at both sites to use the same Active Directory server for authentication. To use the same Active Directory server for authentication at two sites, you can add tunnel routes to the configuration of both devices as described below.
For example, consider an organization that has Fireboxes at two sites, Site A and Site B. The Active Directory server is located at Site A. The administrator wants the Firebox at Site B to use the Active Directory Server at Site A for authentication of local users.
Add a Tunnel Route to the Site A BOVPN Configuration
At Site A, you must add a tunnel route for traffic through the BOVPN tunnel from Site B to the local Active Directory server.

- Connect to Fireware Web UI for the Firebox at Site A.
- Select VPN > Branch Office VPN.
- Select the existing tunnel to Site B and click Edit.
- In the Addresses tab, click Add.
- In the Local IP section, in the Host IP text box, type the private IP address of the Active Directory server.
- In the Remote IP section, in the Host IP text box, type the IP address of the external interface at Site B.
- Save the configuration to the device.

- Open the device configuration for the Site A device in Policy Manager.
- Select VPN > Branch Office Tunnels.
- Select the existing tunnel to Site B and click Edit.
The Edit Tunnel dialog box appears. - In the Addresses tab, click Add.
The Tunnel Route Settings dialog box appears. - In the Local text box, type the private IP address of the Active Directory server.
- In the Remote text box, type the IP address of the external interface of the device at Site B.
- Save the configuration to the device.
Add a Tunnel Route to the Site B BOVPN Configuration
At Site B, you must also add a tunnel route for traffic through the BOVPN tunnel between Site B and the Active Directory server at Site A.

- Connect to Fireware Web UI for the Firebox at Site B.
- Select VPN > Branch Office VPN.
- Select the existing tunnel to Site A and click Edit.
- In the Addresses tab, click Add.
- In the Local IP section, in the Host IP text box, type the external IP address of the Site B device.
- In the Remote IP section, in the Host IP text box, type the IP address of the Active Directory server located at Site A.
- Save the configuration to the device.

- Open the device configuration for Site B in Policy Manager.
- Select VPN > Branch Office Tunnels.
- Select the existing tunnel to Site A and click Edit.
The Edit Tunnel dialog box appears. - In the Addresses tab, click Add.
The Tunnel Route Settings dialog box appears. - In the Local text box, type the external IP address of the Site B device.
- In the Remote text box, type the private IP address of the Active Directory server located at Site A.
- Save the configuration to the device.
Configure Active Directory Authentication on the Site B Device
Configure Active Directory authentication on the Site B device as described in Configure Active Directory Authentication.
After you complete these steps, the Site B device can use the Active Directory server at Site A to authenticate local users.