Configuring the SafeGuard Enterprise Management Center to establish a LDAP over SSL (LDAPS) connection to the Active Directory.
Known to apply to the following Sophos product(s) and version(s)
SafeGuard Management Center / Local Policy Editor
What To Do
Before the SafeGuard Enterprise Management Center can establish a SSL connection to the Active Directory, LDAP over SSL (LDAPS) needs to be configured in the Active Directory environment.
- To prepare the environment for LDAPS using a Microsoft PKI please see: http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx.
- To prepare the environment for LDAPS using a third party PKI please see: http://support.microsoft.com/kb/321051.
After the environment has been prepared for LDAPS, the SafeGuard Management Centers Active Directory connection must be changed to use SSL on port 636 instead of the default (non-SSL) port 389:
- Open the SafeGuard Management Center and navigate to Tools | Options
- Switch to the "Directory" tab
- From the "Existing connections", select the respective Active Directory connection that should be reconfigured to use SSL and click on "Modify". If no Active Directory connection exists, click "Add".
(If you chose "Add", enter the connection details to the Active Directory in the "LDAP Authentication" window)
- Make sure the "SSL logon" box is ticked and the port is configured to "636"
- Click "OK" to confirm the changes.
Hint: By clicking OK, the SafeGuard Enterprise Management Center tries to establish a LDAPS connection against the specified Active Directory. "The connection to the requested directory was successful." pop up appears if the LDAPS connection attempt was successful.
"The connection to the requested directory failed. Additional info:The server is not operational" will be displayed in case that the LDAPS connection to the Active Directory was not successful. Please make sure that the preparations for LDAP over SSL haven been carried out successfully.
The Microsoft tool Netstat can be used to verify that the established connection makes use of the new LDAPS configuration.
- Use the SafeGuard Management Center to establish a LDAPS connection to the Active Directory (i.e. start an Active Directory synchronization process)
- Open a "Command Prompt" with elevated rights
- Call "Netstat -b". The "-b" parameter displays the executable involved in creating each connection or listening port.
- The TCP port listed above the "SafeGuard Management Center.exe" should show up as dc:ldaps.