Follow

Configure an Endian VPN Using Active Directory Server with LDAP Over SSL (LDAPS)

Versions 3.0 & 5.0

Applies to Platform: UTM 3.0, 4i Edge 3.0, UTM 5.0, 4i Edge 5.0
Last Update: 21 November 2020

This configuration guide will illustrate how to install and configure an Endian VPN using Active Directory Server with LDAP Over SSL (LDAPS).

Scope: To bring extra security on VPN services regarding authentication it is necessary to have a secure communication between Endian and Active Directory using LDAP protocol over SSL (LDAPS). The LDAPS protocol uses port 636 and CA type security certificates for secure communication between VPN services and Active Directory Server.

Tutorial structure

This tutorial includes the complete solution to install and configure Active Directory and Endian LDAP over SSL secure connection (LDAPS). Depending on what you are looking for, you can read by clicking the following:

Active Directory Server installation and configuration

Step one: Installing and configuring Active Directory Domain Controller Server.

Note

If you already have an Active Directory Domain Controller Server installed and configured, you may skip this part of the tutorial.

  1. Open the Server Manager application on your domain controller server. Access the Manage menu and click on Add Roles and Features.

    mceclip1.png

  2. This is an information screen. You can read and click on the Next button.

    mceclip2.png

  3. For single server configuration select Role-based or feature-based installation and click Next botton.

    mceclip3.png

  4. Select a server from the pool and click Next botton.

    mceclip4.png

  5. Access the Server role screen, select the Active Directory Domain Service and click on the Next button.

    mceclip5.png

  6. On the following screen, click on the Add Features button.

    mceclip6.png

  7. On the following screen, click on the Next button.

    mceclip7.png

  8. On the following screen, click on the Next button.

    mceclip8.png

  9. On the confirmation screen, click on the Install button.

    mceclip9.png

  10. Wait the Active Directory installation to finish and click Close button.

    mceclip10.png

  11. Open the Server Manager application. Click on the yellow flag menu and click the option to Promote this server to a domain controller.

    mceclip11.png

  12. Select the option to Add a new forest, enter a root domain name and click Next button. In our example, we created a new domain named: endian.local.

    mceclip12.png

  13. Enter a password to secure the Active Directory restoration and click Next button.

    mceclip13.png

  14. On the DNS options screen, click on the Next button.

    mceclip14.png

  15. Verify the Netbios name assigned to your domain and click on the Next button.

    mceclip15.png

  16. On the Paths options screen, click on the Next button.

    mceclip16.png

  17. Review your configuration options and click on the Next button.

    mceclip17.png

  18. On the Prerequisites Check screen, click on the Install button.

    mceclip18.png

Note

After finishing the Active Directory installation, the computer will restart automatically. You have finished the Active Directory configuration on Windows Server.

 

Certification Authority Installation and Configuration for Active Directory Domain Controller Server

Step two: Installing and configuring Windows Certification Authority Service. The local certification authority will provide the domain controller with a certificate that will allow the LDAPS service to operate on the TCP port 636.

  1. Open the Server Manager application. Access the Manage menu and click on Add Roles and Features.

    mceclip19.png

  2. This is an information screen. You can read and click on the Next button.

    mceclip20.png

  3. For single server configuration select Role-based or feature-based installation and click Next botton.

    mceclip21.png

  4. Select a server from the pool and click Next button.

    mceclip22.png

  5. Access the Server role screen, select the Active Directory Certificate Services and click on the Next button.

    mceclip23.png

  6. On the following screen, click on the Add Features button.

    mceclip24.png

  7. On the following screen, click on the Next button.

    mceclip25.png

  8. On the following screen, click on the Next button.

    mceclip26.png

  9. Enable the option named Certification Authority and click on the Next button.

    mceclip27.png

  10. On the confirmation screen, click on the Install button.

    mceclip28.png

  11. Wait the Certification Authority installation to finish and click Close button.

    mceclip29.png

  12. Open the Server Manager application. Click on the yellow flag menu and click the option to Configure Active Directory Certificate Services.

    mceclip30.png

  13. On the Credentials screen, click on the Next button.

    mceclip31.png

  14. Select the Certification Authority option and click on the Next button.

    mceclip32.png

  15. Select the Enterprise CA option and click on the Next button.

    mceclip33.png

  16. Select the Root CA option and click on the Next button.

    mceclip34.png

  17. Select the Create a new private key option and click on the Next button.

    mceclip35.png

  18. Keep the default cryptography configuration and click on the Next button.

    mceclip36.png

  19. Set a common name to the Certification authority and click on the Next In our example, we set the common name: endian-PDC-CA.

    mceclip37.png
  20. Set the Windows Certification authority validity period and click on the Next button.

    mceclip38.png

  21. Keep the default Windows Certification authority database location and click Next button.

    mceclip39.png

  22. Verify the summary and click on the Configure button.

    mceclip40.png

  23. Wait for the Windows server certification authority installation to finish and click Close button.

    mceclip41.png

Note

After finishing the certification authority installation, reboot your computer. You have finished the Windows Certification authority installation.

 

Testing the LDAP over SSL communication

Step three: You need to test if your domain controller is offering the LDAP over SSL service on port 636.

  1. Access the Connection menu and select the Connect option. Try to connect to the domain controller (your domain controller or localhost) using the TCP port 389 then click OK button. You should be able to connect to the LDAP service on the localhost port 389.

    mceclip42.png
    mceclip43.png

  2. Now, you need to test if your domain controller is offering the LDAP over SSL service on port 636. Open a new LDP application Window and try to connect to the domain controller (your domain controller or localhost) using the TCP port 636 and SSL enabled then click OK button. You should be able to connect to the LDAP service on the localhost port 636 over SSL (LDAPS).

    mceclip44.png
    mceclip45.png

Exporting Active Directory certificate for LDAPS connection

Step four: In order to set up the secure connection LDAP over SSL for the VPN connection on Endian appliance, the certificate installed in step two on the Active Directory server it must be exported.

At this step we will show how to export that generated certificate so that it can be imported to Endian appliance which require LDAPS communication with the AD.

  1. Open Certification Authority from Programs menu or by running the command certsrv.msc in Run application and click OK button.

    mceclip46.png

  2. Right-click on the name of the certification authority, and select Properties.

    mceclip47.png

  3. In the General tab, select the Certificate you want to access and click View Certificate. This will show the Certificate you selected.

    mceclip48.png

  4. In the Details tab, select Copy to File. This will open Certificate Export Wizard.

    mceclip49.png

  5. This is an information screen. You can read and click on the Next button.

    mceclip50.png

  6. Select Base-64 encoded binary X.509(.CER) as the Export File Format and click Next button.

    mceclip51.png

  7. Specify a file path and a name for the certificate file and click Next button.

    mceclip52.png

  8. To complete the export, click Finish button. A dialog box will appear to inform the export was successful and click OK button.

    mceclip53.png

Importing Active Directory certificate for LDAPS to Endian appliance and configure VPN connection with LDAP over SSL

Step five: For VPN authentication that uses LDAP over SSL to be possible, it is necessary to import on the Endian appliance, the certificate obtain in step four from Active Directory Server. Some VPN configurations are also required.

Note

You need to make sure there are rules in the firewall which allows connections to the Active Directory server on port 636 TCP. In the situation where they are necessary, you can check if the connection on this port is not blocked.

  1. To configure the connection to Active Directory Server, you need to make sure you are using an FQDN domain for the Domain Controller. If the Domain Controller is on the local network you can configure a local hostname on the Endian appliance for the DNS resolver by accessing Network / Edit hosts and fill the details (domain controller IP address, Hostname and Domain name) and click Change or Add.

    Note

    If you already use an FQDN domain and in your domain controller the DNS zone is set and is accessible from Endian appliance, you can skip this step.

    mceclip55.png
    mceclip56.png

  2. The exported certificate in step four from the Active Directory server it must be imported on the Endian appliance by accessing the VPN / Certificates / Certificate Authority / Browse menu and select the certificate. After selecting the certificate click Upload CA certificate.

    mceclip57.png
    mceclip58.png

  3. If the certificate was successfully imported on the Endian appliance it must be displayed in the certificate list.

    mceclip59.png

  4. After importing the certificate, it is necessary to configure the VPN connection to use LDAP over SSL secure connection by accessing the VPN / Authentication / Settings / Add new authentication server menu.

    mceclip60.png

  5. The VPN connection will be configured such as to use LDAP over SSL (LDAPS) secure communication for authentication with Active Directory Domain Controller Server and click Add button.

    mceclip61.png

    Configuration details using Administrator username from Domain Controller:

    Name: Authentication display name
    Enabled: yes
    Type: LDAP / Active Directory
    LDAP server URI: ldaps://example.com
    LDAP server type: Active Directory
    LDAP bind DN username: administrator@example.com
    LDAP bind DN password: <administrator domain password>
    LDAP user base DN: CN=Users,DC=services,DC=example,DC=com
    LDAP group base DN: CN=Users,DC=services,DC=example,DC=com

  6. After the authentication is successfully configured it can be seen in the Authentication server section. To make sure that the authentication data is imported from Active Directory click on refresh button mceclip54.png.

    mceclip62.png

  7. Results. After synchronizing with Active Directory users that were imported for use in VPN authentication using LDAP over SSL will be displayed in the Users and Groups section.

    Note

    The maximum limit of users that can be imported from Active Directory are 1000 accounts. By design and by default Active Directory does not allow the import of more than 1000 user accounts.

    mceclip63.png

    Note

    User groups imported from Active Directory must belong to the same organization (OU - Organizational Unit). Groups belonging to different organizations cannot be imported.

    mceclip65.png

The data used in this tutorial are test data and for information purposes can be used as an example in configuring solutions and services.

Have more questions? Submit a request

Comments