Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Configuring Active Directory/LDAP over TLS (Certificate)

04/18/2021 787 People found this article helpful 145,954 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    This article explains how to integrate SonicWall appliance with an LDAP directory service, such as Windows Active Directory, using SSL/TLS.

    • Install a server certificate on the LDAP server.
    • Install a Certificate Authority (CA) certificate for the issuing CA on your SonicWall appliance.
    • Configure the SonicWall appliance for LDAP over SSL/TLS

    A prerequisite is configuring the Domain Controller (DC) server for certificate management so that it can establish SSL/TLS sessions with the SonicWall appliance. To achieve this, one has to install the certificate, e.g, mycert.pfx on the DC. Such a file has both the private key and public key certificate. While one can purchase a certificate from a public Certificate Authority (CA), self-signed certificates can be created on a CA in Active Directory Certificate Services or OpenSSL and used for this purpose.

    Next, you should configure the SonicWall appliance for LDAP over SSL/TLS. Additionally, you may consider exporting the public key certificate from the DC and import it to the SonicWall Appliance.

    Resolution

    NOTE: In this article we have used Windows 2003 server for Certificate Authority and Active Directory. If you are using windows server other than 2003 please check Microsoft site for configuring CA and Active directory, however the steps on the SonicOS Enhanced remains the same.

    The following procedures describe how to Configure LDAP over TLS.

     
    Configuring the CA on the Active Directory (Windows 2003 Server)

    To configure the CA on the Active Directory server (skip the first five steps if Certificate Services are already installed)

    1. Navigate to Start | Settings | Control Panel | Add/Remove Programs.
    2. Select Add/Remove Windows components.
    3. Select Certificate Services.
    4. Select Enterprise Root CA when prompted.
    5. Enter the requested information. For information about certificates on Windows systems, see http://support.microsoft.com/kb/931125.

     

    Exporting the CA Certificate from the Active Directory Server

     To export the CA certificate from the AD server

    1. Launch the Certification Authority application: Start | Run | certsrv.msc.
    2. Right click on the CA you created and select Properties.
      Image

    3. On the General tab, click  View Certificate .
    4. On the Details tab, select Copy to File.
      ImageImage

    5. Follow through the wizard, and select the DER Encoded binary X.509 (.cer) format.
      ImageImage

    6.  Click  browse and Specify a path and filename to which to save the certificate.
      ImageImage

    7. Click   Next button and click Finish.
      ImageImage
      Image



    Importing the CA Certificate onto the SonicWall


    To import the CA certificate onto the SonicWall:

    1. Navigate to Manage | System Setup | Appliance | Certificates.
    2. Select Import a CA certificate from a PKCS#7 (.p7b), PEM (.pem) or DER (.der or .cer) encoded file.
    3. Choose the certificate File, EXAMPLE:  pluto-cert.cer below.
    4. Click Import.
      Image

    5. Once the CA root certificate is imported, it will be listed under Manage | System Setup | Appliance | Certificates | Imported Certificates.Image

     

    Configuring LDAP settings on SonicWall Appliance

    1. Navigate to Manage | System Setup | Users | Settings . In the User authentication method from the drop-down list, select LDAP + Local Users and click Configure LDAP.Image

    2. On the LDAP Configuration window that opened, click ADD to set up a new LDAP server.ImageImage

     

    • Name or IP address: The FQDN or IP address of the LDAP server against which you wish to authenticate. When using an FQDN name, be certain that it can be resolved by your DNS server.(Recommended to use the name of the server).
    • Port Number: The default LDAP over TLS port number is TCP 636.
    • Server timeout (seconds): The amount of time, in seconds, that the SonicWall will wait for a response from the LDAP server before timing out. Allowable ranges are 1 to 99999, with a default of 10 seconds.
    • Overall operation timeout (minutes): 5(Default).
    •  Use TL(SSL) : Use Transport Layer Security (SSL) to log in to the LDAP server. It is strongly recommended that TLS be used to protect the username and password information that will be sent across the network (as shown in the diagram below). Most modern implementations of LDAP server, including Active Directory, support TLS. Deselecting this default setting will display an alert that you must accept to proceed.Image

    • Send LDAP  Start TLS  Request   Some LDAP server implementations support the Start TLS directive rather than using native LDAP over TLS. This allows the LDAP server to listen on one port (normally 389) for LDAP connections, and to switch to TLS as directed by the client. Active Directory does not use this option, and it should only be selected if required by your LDAP server. Require valid certificate from server  Validates the certificate presented by the server during the TLS exchange, matching the name specified above to the name on the certificate. Deselecting this default option will present an alert, but exchanges between the SonicWall and the LDAP server will still use TLS only without issuance validation.
      Image

    • Anonymous Login:  Some LDAP servers allow for the tree to be accessed anonymously. If your server supports this (Active Directory generally does not), then you may select this option.
    • Give login name/location in tree:  Specify a user name that has rights to log in to the LDAP directory, any account with LDAP read privileges. The login name will automatically be presented to the LDAP server in full  dn notation. Administrative privileges are not required.

      NOTE: That this is the user's display name, not their login ID.

    • Give bind distinguished name: one can get the full user DN. EXAMPLE: CN=pluto_admin admin,CN=Users,DC=pluto,DC=edu.
    • Password  The password for the user account specified above.
    • Select Bind with this account.

     


    On the Schema tab

    • Select the LDAP schema EXAMPLE: Microsoft Active Directory. Additionally, one might consider updating the schema by clicking READ FROM SERVER followed by Automatically update the server's schema configuration .Image

    On the Directory tab

    • Primary domain: The domain used by your LDAP implementation.
    • Trees containing users:  click AUTO-CONFIGURE followed by Replace Existing trees and START (in the pop-up windows). This will update the user treetree for login to server.

      NOTE: If you want your previous tree to be appended please choose so in the last option.Image

    In the Genera Settings tab of LDAP Configuration window: select

    • Protocol version: LDAP version 3.
    • Select Require valid certificate from the server when using TLS.
    • Local certificate for TLS : Optional, to be used only if the LDAP server requires a client certificate for connections. Useful for LDAP server implementations that return passwords to ensure the identity of the LDAP client (Active Directory does not return passwords). This setting is not required for Active Directory. Leave this option to None.Image


     

    On the Users & Groups tab

    • Default LDAP User Group : Trusted Group
    • Click OK which will open an window where you an choose which groups import.
      Image
      Image

    Test

    • The LDAP Configuration window allows one to test LDAP users as summarized below.Image

    • SonicOS 6.5 LDAP Test has a newer feature where one can do an LDAP search for a user or usergroup as summarized below.Image

    Further Reading:

    • LDAP Troubleshooting
    • Setup LDAP with Global VPN Client
    • Setup LDAP for SSL VPN Users
    • LDAP Setup (Help-SonicWall)
    • LDAPS with 2008 Windows server
    • LDAP with two AD Domains

    Related Articles

    • Configuring SNMP in SonicOS
    • Why is SonicWall blocking access to websites?
    • Generate New SSL certificate for SonicWall Firewall

    Categories

    • Firewalls > NSa Series > User Login
    • Firewalls > NSv Series > User Login
    • Firewalls > TZ Series > User Login

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top
    Trace:dd05288e52973a5809ba22c373a5ba22-70