Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

TZ300 LDAP to Windows 2012 server only works on port 389

Trying to connect SonicWall to LDAP of 2012 server over TLS - port 636. When I try the connectivity test, I get "Error connecting to LDAP server".

If I set to 389 port, it works, but not on 636. I have read several notes regarding needing the certificate authority setup on the server, but I still have not got it to work. Not sure what I am missing.

On the server, if I run the ldp.exe utility, it also can't connect on 636, so I assume my issue is on the server. But, I thought I would post here to see if anyone else had this issue.

Category: Entry Level Firewalls
Reply

Answers

  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    Hi @RandyKane,

    LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged.

    Please follow the below KB for achieving your goal;


    Once you configure the LDAP Over SSL port (636), try to connect from sonicwall.

  • prestonpreston Enthusiast ✭✭

    HI @RandyKane, have you made sure that the Require Valid Certificate option is disabled like below under the LDAP/General Settings?

    if not, disable it and try again, this is the most common issue with LDAPS setup on the SonicWall



  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    Hi @preston

    As per his above statement, 636 port is not able to connect from the server itself. If he want to use the LDAP over TLS, he must have to configure the server first and enable the required ports.

  • Ajishlal, yes that is my thinking as well - that it is the server. Was just hoping someone can give me feedback on that process. I had set up a Certificate Authority on the server and saw some other notes regarding this, but nothing yet has worked, so I am sure I am missing something.

  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    Hi @RandyKane ,

    May I know did you import the certificate into the Sonicwall from the LDAP Server?

    If its not, Please follow the below KB;


  • I did import the cert, however not sure if I missed something or did the wrong cert. I did see this note, however I will try again and see if i missed anything. Thanks.

  • prestonpreston Enthusiast ✭✭

    Hi @RandyKane, I presume you have rebooted the server after setting up the Certificate, you will need to do this for the LDAPS to work,

    what firmware are you on on the SonicWall? did you check also that it works using 389 first?

    you shouldn't need to import in to the certificate in to the SonicWall, as long as you untick what I mention in my previous comment.

    can you put your LDAP settings up here obviously obfuscate any personal stuff, I can tell you where you are going wrong then

  • I actually may not have rebooted after installing the CA - it didn't state it needed to be. I did uninstall that role, reboot, reinstall the roll. Still didn't work after that. However, I switched to 389, made some other changes and was finally able to get all working. Not sure I want to continue trying to get the TLS working. This is a small shop and I am not overly concerned about the connection. I will see if I can post the info later today as I am still interesting in getting this running for another client.

  • I figured it out. Kind of a dumb mistake, but for someone that doesn't do this often, I can see the mistake happening. On the SonicWALL, under LDAP setting the "Name or IP Address" setting was set to an IP - for ex 192.168.1.3. I changed to the FQDN and it worked - for ex server.domain.local. I am guessing that it has to match the certificate. So not sure why it would give the option of an IP? Can certificates be IP based? Why would you do that? Thanks all for the help.

  • prestonpreston Enthusiast ✭✭

    Hi @RandyKane , yes you can use either IP or FQDN, if using FQDN, you will have to make sure that under Network/DNS that your internal server is in the entries otherwise you may get issues if the SonicWall can't resolve the name of your domain, this document explains all that, it is not using LDAPs and is using more than one domain but the process is the same for one domain or multiple

    https://www.sonicwallonline.co.uk/kbase/article/attachment/id/9/

Sign In or Register to comment.