Solved: Allowing LDAP traffic from Business partner (BP), How to?

Steve Coady · ‎10-21-2014

Hello

I have a (BP) that uses an application that needs to perform an LDAP query on my domain controller.

The BP is requesting the ip of our Domain controller so they can NAT on their side.

What do i need to implement to accomplish this task?

sMc

Marvin Rhoads · ‎10-21-2014

The best way to do this is via LDAPS (LDAP over TLS/SSL on TCP port 636) as LDAP (TCP port 389) itself is not inherently secured.

Assuming you you do not have a site-site VPN tunnel, you setup a static NAT in your edge firewall (or wherever you perform NAT from your private internal network to the public internet). You then create an access-list allowing incoming TCP/636 LDAPS requests from their source IP address.

If you use this approach they do not have to NAT specifically for this use case - they would address your server's public address which has been configured on your edge.

View solution in original post

Marvin Rhoads · ‎10-21-2014

The best way to do this is via LDAPS (LDAP over TLS/SSL on TCP port 636) as LDAP (TCP port 389) itself is not inherently secured.

Assuming you you do not have a site-site VPN tunnel, you setup a static NAT in your edge firewall (or wherever you perform NAT from your private internal network to the public internet). You then create an access-list allowing incoming TCP/636 LDAPS requests from their source IP address.

If you use this approach they do not have to NAT specifically for this use case - they would address your server's public address which has been configured on your edge.