ProxySG & Advanced Secure Gateway

 View Only
  • 1.  ProxySG FIPS mode and LDAPS

    Posted Oct 10, 2023 06:03 PM

    I am having an issue trying to add an LDAP realm.  The proxySG is running in FIPS mode and it keeps throwing an error "% Unable to use requested ssl-device-profile: Requested setting invalid in FIPS mode".  I do not see how the ssl-device-profile is not FIPs compliant.  Currently running version ProxySG 7.4.1.1.  Any assistance would be greatly appreciated.



  • 2.  RE: ProxySG FIPS mode and LDAPS

    Posted Oct 13, 2023 09:30 AM

    I suspect the LDAP server you are trying to connect to is offering or preferring non-FIPS algorithms.  Here are some things you can check:

    - Verify the ciphers configured in the ProxySG ssl-device-profile are available on LDAP server you are connecting to.  If the LDAP/S server is not running in FIPS mode, you may have to manually edit its cipher list to make sure the two parties can agree on ciphers.

    - Verify the CCL assigned to your ProxySG ssl-device-profile trusts the certificate chain of the LDAP/S server.

    If you can't find the problem in these settings, post some more details about your environment so we can look for other possible problems.



    ------------------------------
    Harry
    ------------------------------



  • 3.  RE: ProxySG FIPS mode and LDAPS

    Posted Oct 17, 2023 09:20 AM

    I appreciate the response.  I'm not even convinced that I am getting to the negotiation.  The ProxySG isn't recognizing the certificates uploaded as FIPS compliant.  Therefore, the ProxySG isn't allowing me to configure the correct device profile for the LDAPS connection.




  • 4.  RE: ProxySG FIPS mode and LDAPS

    Posted Oct 15, 2023 06:18 AM

    Hi Charles,
    please test this - maybe it will help. It helps me joining my ProxySG with the IWA-Realm, because of an LDAP Problem.

    Proxy failed to join domain (broadcom.com)

    >en
    #conf t
    #(config)security windows-domains
    #(config windows-domains)ldap-ping-protocol tcp

    Best regards,
    Klaus




  • 5.  RE: ProxySG FIPS mode and LDAPS

    Posted Oct 17, 2023 09:23 AM

    Thank you for the response.  I have been able to successfully join the ProxySG to the domain.  It's just having issues with connecting to the DC with LDAPS due to the signed certificate reporting as Non-FIPS compliant.  I cannot assign the correct device profile for the LDAPS realm because it's saying it's not allowed in FIPS mode.  I believe it's not allowed because of the certificate issue.  I am 90% the certificate is in-fact FIPS compliant, it's just the ProxySG isn't recognizing the compliance.