Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Directory Connector vs. 2020 LDAP channel binding and LDAP signing requirement for Windows

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

this question affects all ranges of SonicWall Firewalls, but I had to go with one category.

I'am just checking the impact of the upcoming "2020 LDAP channel binding and LDAP signing requirement for Windows" from Microsoft scheduled for March 2020.

If I understand this correctly and LDAPS (636) becomes mandatory as the new default. Group lookups from the Firewall need to be configured accordingly if LDAP (389) is still used.

But how about the Directory Connector? It seems that this is not configurable and the Agent is using LDAP internally AFAIK.

How should this be addressed, will there be an option to still provide LDAP (389) which is not a favorable solution or will there be a new Directory Connector? Or am I completely mistaken?

--Michael@BWC

Category: Mid Range Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Found this KB article after posting my question but this does not cover Firewalls and/or Directory Connector. 😥

    https://www.sonicwall.com/support/knowledge-base/impact-for-ldap-channel-binding-and-ldap-signing-requirements/200120020104096/

  • ChrisChris Administrator
    edited February 12

    Hi @BWC

    I am reaching out to some our Firewall experts for you. Expect an update shortly.

    As far as having to choose one category when it applies to all firewalls. We are definitely open to feedback and ideas for changing the categories around to make it easier. The pilot is a perfect opportunity to test and see what could be improved.

    Community Manager of SonicWall. Feel free to @Chris if you have any questions or concerns about the community.

  • AceHigh124AceHigh124 SonicWall Employee

    Hi Michael


    That is a good question & I am curious to see what Chris can determine...

    IF i am understanding your question correctly, I believe the Directory Connector shooould already support LDAPS (636) OR LDAPS (3269), providing for a secured connection... There should be no need for a "new" directory connector...

    Forgive me if i am misunderstanding, and really enjoying the new community!


    Bill (AceHigh124)

    Bill Sauer | [email protected]

    SonicWALL, U.S.A. | Tempe, AZ

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi Bill,

    I'am running Directory Connector 4.1.10 on a W2K12 R2 Server and captured traffic from the Directory Connector process to my Domain Controller on Port 389. There is no specific configuration option how the SSOAgent is talking to the AD, maybe it's hardwired?

    --Michael@BWC

  • KaranMKaranM Moderator

    Hi @BWC ,


    Actually, the Agent is not using LDAP internally.SonicWall Directory Connector Services provides an option for the Agent to identify user information using the following methods:


    • DC Security Log, users will be identified from the Domain Controller's Windows Security Log; use this option if all users log into the domain. The Agent uses Event log subscription, DC server sessions or polling of the event log.
    •  Probe client using NETAPI first and then WMI.
    • Probe client using WMI first and then NET API.

    Knowledge Management Senior Analyst at SonicWall.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Karan1234,

    good to know, then I probably fooled myself somehow while doing the trace, maybe something else cause the LDAP lookup.

    Best regards.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi all,

    it seems I wasn't mistaken and the LDAP packets I saw were real, happens only when adding a new DC.

    The latest Directory Services Connector 4.1.17 (released March 3rd 2020) marked this as fixed:

    The SSO Agent uses clear text LDAP packets when agent is trying to connect to a DC. Occurs when the user is adding a new DC in the configuration tool. Issue ID #222558

    4.1.17 is the way to go, and a new Linux version is available as well 😀

    --Michael@BWC

  • AceHigh124AceHigh124 SonicWall Employee

    @BWC Thanks for the clarification!

    Bill Sauer | [email protected]

    SonicWALL, U.S.A. | Tempe, AZ

Sign In or Register to comment.