My organisation is about to embark on the iVanti service manager SaaS version. We currently setting up a Staging environment for this.
There's a couple of things we need to setup to allow Service manager to operate properly.
Access to on premise Active Directory environment (based on AD Windows 2008 R2)
Outgoing email to on premise Exchange 2010 environment
We use ADFS 3.0 (active directory federated services) and we also have a Web Application Proxy in our DMZ to allow access to on premise services externally. We also use Azure AD to sync our on premise AD into the Azure cloud.
Service manager supports ADFS so we have set this up to allow SSO as well as federated access however this doesn't solve the problem of the import of active directory objects (users) into service manager. The notes I have seem that we need to allow access to our on premise Active directory environment either allowing the ports through our corporate firewall or use a VPN connection, either options we are not comfortable with from a security standpoint.
Our preferences would be to either:
Use of Azure AD and allow service manager to connect to our Azure active directory
Allow Active Directory access securely using our WAP in the DMZ but I don't think this option is possible
create a Read only Domain controller, put this in our DMZ and then allow service manager to connect only to this server for import purposes.
I am interesting in knowing how other organisations have allowed this securely. If either of the above options have been used I would be interested to know how you achieved it.
For the import of users from Active Directory , I have only seen 2 scenario's with my customers: - use of a vpn to connect directly on the AD - export of users from AD to csv or similar -> sftp -> Import Also, Ivanti has a tool that came out to circumcent needing a VPN connection, I think it uses the 2nd option. Ask your ivanti contact about this.