S650 on Multiple Domains

Unanswered Question
Jul 31st, 2009


What would be the best practice in deploying WSA to multiple domains..

Are there any requirements for this? like should be in the same forest?

Or it can be done via ip ?

My objective is to control internet traffic from users of adomain.com, bdomain.com etc...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jowolfer Fri, 07/31/2009 - 15:32

The WSA is able to authenticate across multiple Active Directory forests as long as the domain that the WSA joins, has at least a one way trust with each forest where the users belong.

angfeglandagan Mon, 08/03/2009 - 07:04

Hi Josh,

I got these errors upon doin a query on my LDAP..via 3268

Failure: Unable to fetch user DN information from server ''.Please check the Base DN, User Name Attribute and User Filter values.

Base DN: dc=abc, dc=com
User Name Attribute:sAMAccountName
User Filter Query:None

I tried LDAP browser given the credentials i got..i was able to browse my AD...

what seemed to be not working..

jowolfer Mon, 08/03/2009 - 15:40


I'm not sure why you are configuring to use your AD server via LDAP. If you wish to use AD with multiple domains across a forest, I recommend using NTLM, not LDAP.

It's possible you could get this working using the LDAP global catalog, but I've always seen it done via NTLM. That and NTLM is a secure protocol and LDAP is not.

angfeglandagan Tue, 08/04/2009 - 04:24

Hi Josh,

My configuration involved an NTLM SSO which is working pretty much.

Now id like to add another LDAP for my remaining 2 domains.

Yes they are in single forest and can query via ports 3268 and 389.

My problem was using my service account to query the ldap server , unable to fetch users from via LDAP but communications are success.

I opened a ticket to support and provided a test account where the support guy was able to query via test account.

I tried Softtera LDAP browser using the service account to query my ldap and it worked.

I dont know why on the WSA, it says password error, invalid account etc.

What could possibly be wrong .

Thank you.


jowolfer Tue, 08/04/2009 - 15:55

Hrm. If the LDAP browser is able to pull the user data, it's most likely that the LDAP configuration on the WSA is incorrect.

Have you double checked the values you're using for the search DN? AD doesn't allow anonymous search.

If so, you may want to file a support ticket so that they can look into this further.

jowolfer Thu, 08/06/2009 - 15:41

That's odd. I thought that AD supports LDAP 2 and 3. That's a good thing to know. Thanks for sharing your fix!

angfeglandagan Thu, 08/27/2009 - 05:34

my only problem now is i had an NTLM SSO configured and the rest are LDAP.

Users who are logged in to the LDAP were not prompted for proxy password and no internet connection.

But if theyre not logged in to the domain it does work.

Im thinkin of removing the NTLM SSO since my S650 is already joined in the domain.

Any thoughts on this ?


This Discussion