Applies to Platform: UTM 3.0, 4i Edge 3.0, UTM 5.0, 4i Edge 5.0
Last Update: 21 November 2020
This configuration guide will illustrate how to install and configure an Endian VPN using Active Directory Server with LDAP Over SSL (LDAPS).
Scope: To bring extra security on VPN services regarding authentication it is necessary to have a secure communication between Endian and Active Directory using LDAP protocol over SSL (LDAPS). The LDAPS protocol uses port 636 and CA type security certificates for secure communication between VPN services and Active Directory Server.
Tutorial structure
This tutorial includes the complete solution to install and configure Active Directory and Endian LDAP over SSL secure connection (LDAPS). Depending on what you are looking for, you can read by clicking the following:
- Active Directory Server installation and configuration
- Certification Authority Installation and Configuration for Active Directory Domain Controller Server
- Testing the LDAP over SSL communication
- Exporting Active Directory certificate for LDAPS connection
- Importing Active Directory certificate for LDAPS to Endian appliance and configure VPN connection with LDAP over SSL
Active Directory Server installation and configuration
Step one: Installing and configuring Active Directory Domain Controller Server.
Note
If you already have an Active Directory Domain Controller Server installed and configured, you may skip this part of the tutorial.
- Open the Server Manager application on your domain controller server. Access the Manage menu and click on Add Roles and Features.
- This is an information screen. You can read and click on the Next button.
- For single server configuration select Role-based or feature-based installation and click Next botton.
- Select a server from the pool and click Next botton.
- Access the Server role screen, select the Active Directory Domain Service and click on the Next button.
- On the following screen, click on the Add Features button.
- On the following screen, click on the Next button.
- On the following screen, click on the Next button.
- On the confirmation screen, click on the Install button.
- Wait the Active Directory installation to finish and click Close button.
- Open the Server Manager application. Click on the yellow flag menu and click the option to Promote this server to a domain controller.
- Select the option to Add a new forest, enter a root domain name and click Next button. In our example, we created a new domain named: endian.local.
- Enter a password to secure the Active Directory restoration and click Next button.
- On the DNS options screen, click on the Next button.
- Verify the Netbios name assigned to your domain and click on the Next button.
- On the Paths options screen, click on the Next button.
- Review your configuration options and click on the Next button.
- On the Prerequisites Check screen, click on the Install button.
Note
After finishing the Active Directory installation, the computer will restart automatically. You have finished the Active Directory configuration on Windows Server.
Certification Authority Installation and Configuration for Active Directory Domain Controller Server
Step two: Installing and configuring Windows Certification Authority Service. The local certification authority will provide the domain controller with a certificate that will allow the LDAPS service to operate on the TCP port 636.
- Open the Server Manager application. Access the Manage menu and click on Add Roles and Features.
- This is an information screen. You can read and click on the Next button.
- For single server configuration select Role-based or feature-based installation and click Next botton.
- Select a server from the pool and click Next button.
- Access the Server role screen, select the Active Directory Certificate Services and click on the Next button.
- On the following screen, click on the Add Features button.
- On the following screen, click on the Next button.
- On the following screen, click on the Next button.
- Enable the option named Certification Authority and click on the Next button.
- On the confirmation screen, click on the Install button.
- Wait the Certification Authority installation to finish and click Close button.
- Open the Server Manager application. Click on the yellow flag menu and click the option to Configure Active Directory Certificate Services.
- On the Credentials screen, click on the Next button.
- Select the Certification Authority option and click on the Next button.
- Select the Enterprise CA option and click on the Next button.
- Select the Root CA option and click on the Next button.
- Select the Create a new private key option and click on the Next button.
- Keep the default cryptography configuration and click on the Next button.
- Set a common name to the Certification authority and click on the Next In our example, we set the common name: endian-PDC-CA.
- Set the Windows Certification authority validity period and click on the Next button.
- Keep the default Windows Certification authority database location and click Next button.
- Verify the summary and click on the Configure button.
- Wait for the Windows server certification authority installation to finish and click Close button.
Note
After finishing the certification authority installation, reboot your computer. You have finished the Windows Certification authority installation.
Testing the LDAP over SSL communication
Step three: You need to test if your domain controller is offering the LDAP over SSL service on port 636.
- Access the Connection menu and select the Connect option. Try to connect to the domain controller (your domain controller or localhost) using the TCP port 389 then click OK button. You should be able to connect to the LDAP service on the localhost port 389.
- Now, you need to test if your domain controller is offering the LDAP over SSL service on port 636. Open a new LDP application Window and try to connect to the domain controller (your domain controller or localhost) using the TCP port 636 and SSL enabled then click OK button. You should be able to connect to the LDAP service on the localhost port 636 over SSL (LDAPS).
Exporting Active Directory certificate for LDAPS connection
Step four: In order to set up the secure connection LDAP over SSL for the VPN connection on Endian appliance, the certificate installed in step two on the Active Directory server it must be exported.
At this step we will show how to export that generated certificate so that it can be imported to Endian appliance which require LDAPS communication with the AD.
- Open Certification Authority from Programs menu or by running the command certsrv.msc in Run application and click OK button.
- Right-click on the name of the certification authority, and select Properties.
- In the General tab, select the Certificate you want to access and click View Certificate. This will show the Certificate you selected.
- In the Details tab, select Copy to File. This will open Certificate Export Wizard.
- This is an information screen. You can read and click on the Next button.
- Select Base-64 encoded binary X.509(.CER) as the Export File Format and click Next button.
- Specify a file path and a name for the certificate file and click Next button.
- To complete the export, click Finish button. A dialog box will appear to inform the export was successful and click OK button.
Importing Active Directory certificate for LDAPS to Endian appliance and configure VPN connection with LDAP over SSL
Step five: For VPN authentication that uses LDAP over SSL to be possible, it is necessary to import on the Endian appliance, the certificate obtain in step four from Active Directory Server. Some VPN configurations are also required.
Note
You need to make sure there are rules in the firewall which allows connections to the Active Directory server on port 636 TCP. In the situation where they are necessary, you can check if the connection on this port is not blocked.
- To configure the connection to Active Directory Server, you need to make sure you are using an FQDN domain for the Domain Controller. If the Domain Controller is on the local network you can configure a local hostname on the Endian appliance for the DNS resolver by accessing Network / Edit hosts and fill the details (domain controller IP address, Hostname and Domain name) and click Change or Add.
Note
If you already use an FQDN domain and in your domain controller the DNS zone is set and is accessible from Endian appliance, you can skip this step.
- The exported certificate in step four from the Active Directory server it must be imported on the Endian appliance by accessing the VPN / Certificates / Certificate Authority / Browse menu and select the certificate. After selecting the certificate click Upload CA certificate.
- If the certificate was successfully imported on the Endian appliance it must be displayed in the certificate list.
- After importing the certificate, it is necessary to configure the VPN connection to use LDAP over SSL secure connection by accessing the VPN / Authentication / Settings / Add new authentication server menu.
- The VPN connection will be configured such as to use LDAP over SSL (LDAPS) secure communication for authentication with Active Directory Domain Controller Server and click Add button.
Configuration details using Administrator username from Domain Controller:
Name: Authentication display name
Enabled: yes
Type: LDAP / Active Directory
LDAP server URI: ldaps://example.com
LDAP server type: Active Directory
LDAP bind DN username: administrator@example.com
LDAP bind DN password: <administrator domain password>
LDAP user base DN: CN=Users,DC=services,DC=example,DC=com
LDAP group base DN: CN=Users,DC=services,DC=example,DC=com - After the authentication is successfully configured it can be seen in the Authentication server section. To make sure that the authentication data is imported from Active Directory click on refresh button .
- Results. After synchronizing with Active Directory users that were imported for use in VPN authentication using LDAP over SSL will be displayed in the Users and Groups section.
Note
The maximum limit of users that can be imported from Active Directory are 1000 accounts. By design and by default Active Directory does not allow the import of more than 1000 user accounts.
Note
User groups imported from Active Directory must belong to the same organization (OU - Organizational Unit). Groups belonging to different organizations cannot be imported.
The data used in this tutorial are test data and for information purposes can be used as an example in configuring solutions and services.
Comments