https://live.paloaltonetworks.com/t5/general-topics/is-ssl-required-for-363-port-for-ldap-profile/m-p/447474#M100703 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/189528">@HussainMohammed</a> ,</P> <P>&nbsp;Do you mean port 636 - which is default for LDAPS? Or you use custom port 363?</P> <P>Changing only the port in LDAP profile doesn't really enable encryption. Firewall will still try to use plaintext LDAP over 636 if you don't have enabled ssl/tls checkbox. If you want to use encrypted LDAP you need to check the box and put the ports that DC is configured to allow.</P> <P>&nbsp;</P> <P>It is intersting to note what official documentation says about enabling the checkbox and with different ports:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Astardzhiev_0-1636881345097.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37628i2D9AE693490E472A/image-size/medium?v=v2&amp;px=400" role="button" title="Astardzhiev_0-1636881345097.png" alt="Astardzhiev_0-1636881345097.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The error you receive indicates that firewall is not able to make LDAP queries. There are few reasons, from no network connection between FW and DC, DC requires encryption, to bind credentials are incorrect or lack permissions.</P> <P>&nbsp;</P> <P>- Have you confirm network connectivity between FW and DC? Try to ping DC from firewall.</P> <P>- If you not sure if ping is allowed to DC, it probably better to set a packet capture on the FW. This will show you not only if TCP session is established, but also what reply you get from DC, when bind request is sent.</P> <P>- The easiest way to test connection to LDAP (and not way for user to try to authenticate) is to try to create group mapping and try to expand the domain tree - this way FW will try to pull domain structure from DC over LDAP, which will generate traffic that you can capture.</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 14 Nov 2021 09:16:09 GMT aleksandar.astardzhiev 2021-11-14T09:16:09Z https://live.paloaltonetworks.com/t5/general-topics/is-ssl-required-for-363-port-for-ldap-profile/m-p/447351#M100685 <P>Our client has LDAP configured with 363 port, ssl/tls box unchecked. having issue with GP connection, showing error as 'ldap cfg SCB_Group_7 failed to connect to server: Can\'t contact LDAP server'.</P> Sat, 13 Nov 2021 13:14:48 GMT https://live.paloaltonetworks.com/t5/general-topics/is-ssl-required-for-363-port-for-ldap-profile/m-p/447351#M100685 HussainMohammed 2021-11-13T13:14:48Z https://live.paloaltonetworks.com/t5/general-topics/is-ssl-required-for-363-port-for-ldap-profile/m-p/447474#M100703 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/189528">@HussainMohammed</a> ,</P> <P>&nbsp;Do you mean port 636 - which is default for LDAPS? Or you use custom port 363?</P> <P>Changing only the port in LDAP profile doesn't really enable encryption. Firewall will still try to use plaintext LDAP over 636 if you don't have enabled ssl/tls checkbox. If you want to use encrypted LDAP you need to check the box and put the ports that DC is configured to allow.</P> <P>&nbsp;</P> <P>It is intersting to note what official documentation says about enabling the checkbox and with different ports:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Astardzhiev_0-1636881345097.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37628i2D9AE693490E472A/image-size/medium?v=v2&amp;px=400" role="button" title="Astardzhiev_0-1636881345097.png" alt="Astardzhiev_0-1636881345097.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The error you receive indicates that firewall is not able to make LDAP queries. There are few reasons, from no network connection between FW and DC, DC requires encryption, to bind credentials are incorrect or lack permissions.</P> <P>&nbsp;</P> <P>- Have you confirm network connectivity between FW and DC? Try to ping DC from firewall.</P> <P>- If you not sure if ping is allowed to DC, it probably better to set a packet capture on the FW. This will show you not only if TCP session is established, but also what reply you get from DC, when bind request is sent.</P> <P>- The easiest way to test connection to LDAP (and not way for user to try to authenticate) is to try to create group mapping and try to expand the domain tree - this way FW will try to pull domain structure from DC over LDAP, which will generate traffic that you can capture.</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 14 Nov 2021 09:16:09 GMT https://live.paloaltonetworks.com/t5/general-topics/is-ssl-required-for-363-port-for-ldap-profile/m-p/447474#M100703 aleksandar.astardzhiev 2021-11-14T09:16:09Z https://live.paloaltonetworks.com/t5/general-topics/is-ssl-required-for-363-port-for-ldap-profile/m-p/447533#M100711 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/189528">@HussainMohammed</a>,</P> <P>Another thing to check outside of what&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130">@aleksandar.astardzhiev</a>&nbsp;mentioned is that you aren't dropping the LDAPS traffic on the firewall itself if your management interface traffic has to route through security zones. The firewall will see LDAPS traffic as standard SSL traffic, so you'll either need to create an application-override entry, a custom app-id, or just allow ssl over 636/tcp in your security rulebase.</P> <P>I've seen a lot of people spend a lot of time troubleshooting LDAPS issues without verifying that the traffic is actually getting allowed.</P> Mon, 15 Nov 2021 03:58:17 GMT https://live.paloaltonetworks.com/t5/general-topics/is-ssl-required-for-363-port-for-ldap-profile/m-p/447533#M100711 BPry 2021-11-15T03:58:17Z