ESP dSeries Workload Automation

 View Only
  • 1.  LDAP using unencrypted port to access Global Catalog

    Posted Jan 25, 2022 04:36 PM
    We are moving one of our Dseries environments to Azure and part of the firewall port scan showed un-encrypted calls to the LDAP Global Catalog on port 3268.
    Is there a way to configure this to use encryption which would use port 3269?

    https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts

    ------------------------------
    Andy Reimer
    ------------------------------


  • 2.  RE: LDAP using unencrypted port to access Global Catalog

    Broadcom Employee
    Posted Jan 26, 2022 11:04 AM
    Hi Andy,
    You can set the LDAPS in the LDAP URL and also enable SSL for LDAP as true.
    The screen shot is from Admin -> Topology -> Authentication Systems.
    See here:



    HTH,
    Nitin Pande

    ------------------------------
    Support
    Broadcom
    Toronto
    ------------------------------



  • 3.  RE: LDAP using unencrypted port to access Global Catalog

    Posted Jan 26, 2022 12:16 PM
    We do have LDAPS enabled, and there is traffic using port 636 when someone logs into dSeries.  That said there is still traffic being seen on port 3268 which is accessing the Global Catalog.

    My guess is that this is when dSeries is querying AD every 30 minutes to get the list of potential users.  Just a guess.



    ------------------------------
    Andy Reimer
    ------------------------------



  • 4.  RE: LDAP using unencrypted port to access Global Catalog

    Broadcom Employee
    Posted Jan 26, 2022 12:57 PM
    Yes, to query the users it will go thru 3268.  I believe that this is how AD wants clients to query.  You can check with Microsoft on this as well.  There are some limitations on what is returned.

    HTH,
    Nitin Pande

    ------------------------------
    Support
    Broadcom
    Toronto
    ------------------------------



  • 5.  RE: LDAP using unencrypted port to access Global Catalog

    Broadcom Employee
    Posted Jan 26, 2022 05:03 PM
    Hi Andy,

    I've been monitoring the communication between my DE Server for the past few hours (via wireshark) and everything is being sent to my AD Server over 636. Nothing over 389, 3268 or 3269. If you remove a character from the Parameter Value from "Server URL value, it will show a "Used by Primary" and "Used by Standby". I'm not sure if you can remove a character in the environment where you see this, but if so then maybe this will show a different value being used?

    Regards,
    Gregg


  • 6.  RE: LDAP using unencrypted port to access Global Catalog

    Posted Jan 28, 2022 05:40 PM
    I spoke with our Cloud System Engineers and they told me we can leave it as is.  The non-encrypted port of 3268 is open in Azure and this will be marked as something to note, but not something that prevents us from moving our dSeries environment into the cloud.  They have far more critical security issues to deal with than this one.

    Thanks for your help.

    ------------------------------
    Andy Reimer
    ------------------------------