ESP dSeries Workload Automation

We are moving one of our Dseries environments to Azure and part of the firewall port scan showed un-encrypted calls to the LDAP Global Catalog on port 3268.
Is there a way to configure this to use encryption which would use port 3269?

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts

------------------------------
Andy Reimer
------------------------------

Hi Andy,
You can set the LDAPS in the LDAP URL and also enable SSL for LDAP as true. 
The screen shot is from Admin -> Topology -> Authentication Systems.
See here:



HTH,
Nitin Pande

------------------------------
Support
Broadcom
Toronto
------------------------------

Original Message:
Sent: Jan 25, 2022 04:35 PM
From: Andy Reimer
Subject: LDAP using unencrypted port to access Global Catalog

We are moving one of our Dseries environments to Azure and part of the firewall port scan showed un-encrypted calls to the LDAP Global Catalog on port 3268.
Is there a way to configure this to use encryption which would use port 3269?

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts

------------------------------
Andy Reimer
------------------------------

We do have LDAPS enabled, and there is traffic using port 636 when someone logs into dSeries.  That said there is still traffic being seen on port 3268 which is accessing the Global Catalog.

My guess is that this is when dSeries is querying AD every 30 minutes to get the list of potential users.  Just a guess.



------------------------------
Andy Reimer
------------------------------

Original Message:
Sent: Jan 26, 2022 11:03 AM
From: Nitin Pande
Subject: LDAP using unencrypted port to access Global Catalog

Hi Andy,
You can set the LDAPS in the LDAP URL and also enable SSL for LDAP as true.
The screen shot is from Admin -> Topology -> Authentication Systems.
See here:



HTH,
Nitin Pande

------------------------------
Support
Broadcom
Toronto

Original Message:
Sent: Jan 25, 2022 04:35 PM
From: Andy Reimer
Subject: LDAP using unencrypted port to access Global Catalog

We are moving one of our Dseries environments to Azure and part of the firewall port scan showed un-encrypted calls to the LDAP Global Catalog on port 3268.
Is there a way to configure this to use encryption which would use port 3269?

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts

------------------------------
Andy Reimer
------------------------------

Yes, to query the users it will go thru 3268.  I believe that this is how AD wants clients to query.  You can check with Microsoft on this as well.  There are some limitations on what is returned. 

HTH,
Nitin Pande

------------------------------
Support
Broadcom
Toronto
------------------------------

Original Message:
Sent: Jan 26, 2022 12:16 PM
From: Andy Reimer
Subject: LDAP using unencrypted port to access Global Catalog

We do have LDAPS enabled, and there is traffic using port 636 when someone logs into dSeries.  That said there is still traffic being seen on port 3268 which is accessing the Global Catalog.

My guess is that this is when dSeries is querying AD every 30 minutes to get the list of potential users.  Just a guess.



------------------------------
Andy Reimer

Original Message:
Sent: Jan 26, 2022 11:03 AM
From: Nitin Pande
Subject: LDAP using unencrypted port to access Global Catalog

Hi Andy,
You can set the LDAPS in the LDAP URL and also enable SSL for LDAP as true.
The screen shot is from Admin -> Topology -> Authentication Systems.
See here:



HTH,
Nitin Pande

------------------------------
Support
Broadcom
Toronto

Original Message:
Sent: Jan 25, 2022 04:35 PM
From: Andy Reimer
Subject: LDAP using unencrypted port to access Global Catalog

We are moving one of our Dseries environments to Azure and part of the firewall port scan showed un-encrypted calls to the LDAP Global Catalog on port 3268.
Is there a way to configure this to use encryption which would use port 3269?

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts

------------------------------
Andy Reimer
------------------------------

Hi Andy,

I've been monitoring the communication between my DE Server for the past few hours (via wireshark) and everything is being sent to my AD Server over 636. Nothing over 389, 3268 or 3269. If you remove a character from the Parameter Value from "Server URL value, it will show a "Used by Primary" and "Used by Standby". I'm not sure if you can remove a character in the environment where you see this, but if so then maybe this will show a different value being used?

Regards,
Gregg
Original Message:
Sent: Jan 26, 2022 12:16 PM
From: Andy Reimer
Subject: LDAP using unencrypted port to access Global Catalog

We do have LDAPS enabled, and there is traffic using port 636 when someone logs into dSeries.  That said there is still traffic being seen on port 3268 which is accessing the Global Catalog.

My guess is that this is when dSeries is querying AD every 30 minutes to get the list of potential users.  Just a guess.



------------------------------
Andy Reimer

Original Message:
Sent: Jan 26, 2022 11:03 AM
From: Nitin Pande
Subject: LDAP using unencrypted port to access Global Catalog

Hi Andy,
You can set the LDAPS in the LDAP URL and also enable SSL for LDAP as true.
The screen shot is from Admin -> Topology -> Authentication Systems.
See here:



HTH,
Nitin Pande

------------------------------
Support
Broadcom
Toronto

Original Message:
Sent: Jan 25, 2022 04:35 PM
From: Andy Reimer
Subject: LDAP using unencrypted port to access Global Catalog

We are moving one of our Dseries environments to Azure and part of the firewall port scan showed un-encrypted calls to the LDAP Global Catalog on port 3268.
Is there a way to configure this to use encryption which would use port 3269?

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts

------------------------------
Andy Reimer
------------------------------

I spoke with our Cloud System Engineers and they told me we can leave it as is.  The non-encrypted port of 3268 is open in Azure and this will be marked as something to note, but not something that prevents us from moving our dSeries environment into the cloud.  They have far more critical security issues to deal with than this one.

Thanks for your help.

------------------------------
Andy Reimer
------------------------------

Original Message:
Sent: Jan 26, 2022 05:02 PM
From: Gregg Stewart
Subject: LDAP using unencrypted port to access Global Catalog

Hi Andy,

I've been monitoring the communication between my DE Server for the past few hours (via wireshark) and everything is being sent to my AD Server over 636. Nothing over 389, 3268 or 3269. If you remove a character from the Parameter Value from "Server URL value, it will show a "Used by Primary" and "Used by Standby". I'm not sure if you can remove a character in the environment where you see this, but if so then maybe this will show a different value being used?

Regards,
Gregg
Original Message:
Sent: Jan 26, 2022 12:16 PM
From: Andy Reimer
Subject: LDAP using unencrypted port to access Global Catalog

We do have LDAPS enabled, and there is traffic using port 636 when someone logs into dSeries.  That said there is still traffic being seen on port 3268 which is accessing the Global Catalog.

My guess is that this is when dSeries is querying AD every 30 minutes to get the list of potential users.  Just a guess.



------------------------------
Andy Reimer

Original Message:
Sent: Jan 26, 2022 11:03 AM
From: Nitin Pande
Subject: LDAP using unencrypted port to access Global Catalog

Hi Andy,
You can set the LDAPS in the LDAP URL and also enable SSL for LDAP as true.
The screen shot is from Admin -> Topology -> Authentication Systems.
See here:



HTH,
Nitin Pande

------------------------------
Support
Broadcom
Toronto

Original Message:
Sent: Jan 25, 2022 04:35 PM
From: Andy Reimer
Subject: LDAP using unencrypted port to access Global Catalog

We are moving one of our Dseries environments to Azure and part of the firewall port scan showed un-encrypted calls to the LDAP Global Catalog on port 3268.
Is there a way to configure this to use encryption which would use port 3269?

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts

------------------------------
Andy Reimer
------------------------------