- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-11-2014 12:06 AM
Hi All,
I've Palo Alto 5050 Active/Active Vwire deployment. the deployment was integrated with Active directory 2008 R2, but now I installed Active directory 2012 R2.
but Palo Alto can't see the users in Acitve Directory 2012 R2.
Any help about that please..
Regards,
07-11-2014 03:14 PM
There is no update documentation for server 2012. And as you note, the global catalog really has not changed so there should be no difference for you.
this is the most recently updated User-id Best practices from March of 2014. And you GC configuration does seem to match the example.
User-ID Best Practices - PAN-OS 5.0, 6.0
07-11-2014 03:38 AM
Which user-id method are you using to get the associations?
Are there any logs or messages in the server event log if you have the local agent, or on the firewall system logs?
07-11-2014 04:01 AM
Hello Steven,
I'm using the PA Local agent
and the configuration is below
when I was using AD 2008 R2 all was working perfectly, but when I migrated to AD 2012 R2 nothing is working, even the Active directory administrators Login.
Regards,
Maher
07-11-2014 04:27 AM
If even the AD login does not work, I'm thinking this is on the Server side.
On a local install, was the installer run as administrator and the agent have administrator rights?
If queried from a remote computer to the AD, has the Windows Server built in firewall been configured to permit the connection?
07-11-2014 04:40 AM
for the first point, actually that isn't server side issue. as the server supports the connection to all other Network and security appliances in our organization.
for the agent, I'm using the Local PA agent which resides on the appliance, and communicates with Active directory using admin account. and no firewall is enabled on the active directory.
Regards,
07-11-2014 06:40 AM
Try the IP of your AD as network Address instead of FQDN cealad02.centamin.local
maybe your Firewall cannot resolve the FQDN.
Although reenter your WMI Admin Credentials.
(not in LDAP Server Profile but in local User Agent)
If this does not help, open a Support Case.
Regards
Marco
07-11-2014 06:47 AM
did you try to enable SSL?
I also noticed that you use global catolog ports, is that intended? the LDAP ports are 389 and 636 (SSL)
07-11-2014 08:55 AM
Hello Marco,
I already tried to set the AD config using the IP address, and it didn't work too, although I tried to check reachability using the FQDN using ping and it works properly.
and for the Admin credentials, it's configured in both the LDAP profile and the Local Agent.
Regards,
07-11-2014 09:02 AM
Hi Alexa,
no I'm not using SSL on the servers, so I didn't configure the connection to use ssl. also I use the Global catalog ports because the LDAP server is GC.
Regards,
Maher
07-11-2014 09:05 AM
Dears,
I would like to know if OS 5.0.9 support integration with LDAP 2012 R2.
can any one provide any article?
Regards,
07-11-2014 03:14 PM
There is no update documentation for server 2012. And as you note, the global catalog really has not changed so there should be no difference for you.
this is the most recently updated User-id Best practices from March of 2014. And you GC configuration does seem to match the example.
User-ID Best Practices - PAN-OS 5.0, 6.0
07-11-2014 08:34 PM
Thanks Steven.
I did resolved the Issue by removing the configuration and configure it from scratch.
Regards,
Maher
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!