Question

Locked

ISA 2004 publish LDAP?

By mark_wessel ·
I'm trying for the life of me to allow an external computer access my internal LDAP server.

I've tried publishing a rule to allow port 389 through from the external side to the internal server, but it doesn't work.

When I check the logs they show the following:

Initiated Connection ISA-SRVR1 10/15/2008 1:32:12 PM
Log type: Firewall service
Status: The operation completed successfully.
Rule: LDAP
Source: External (x.y.z.q:4076)
Destination: Internal ( 172.16.0.10:389)
Protocol: LDAP 2
User:
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 64.180.108.114
Client agent:

It eventually closes the connection. The computer trying to connect from the outside just gives an connection error.

Any ideas would be appreciated. Thanks!

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

ISA 2004 publish LDAP issues....

If you have Active Directory and Exchange on the same box, you probably have a problem with conflicting ports. Active Directory uses Lightweight Directory Access Protocol ( LDAP ) as does Exchange. Unfortunately Active Directory and Exchange try to use the same ports for the LDAP communications causing mis-communications. Active Directory and Exchange use LDAP via TCP port 389 for client communications and TCP port 636 for secure client communication ( SSL ). If this is the case, what you will normally see is problems in Exchange but it could effect either or both. If you check the event log, it will inform you of the "probable" port conflict by generating Event I 1306 and Event I 1309 errors, port 389 and port 636 conflicts, respectively.

You have a fine gotcha! on your hands. What to do? What to do?

I would strongly recommend from a security perspective that you do not run any application including Exchange or IIS on a domain controller. If you can, move the Exchange server to a member server. If you must run both Active Directory and Exchange on the same server, see How to Change LDAP Port Assignments in Exchange Server.

If you have firewall and are trying to block LDAP port access, LDAP uses

* TCP port 389 for client communications
* TCP port 636 for SSL communications
* TCP port 3268 for communications to Global Catalog server
* TCP port 3269 for SSL communications to Global Catalog server
More here:
http://tinyurl.com/46gysu

Please post back if you have any more problems or questions.
If this information is useful, please mark as helpful. Thanks.

Collapse -

ISA 2004 publish LDAP

by mark_wessel In reply to ISA 2004 publish LDAP iss ...

My ISA server is isolated and not connected to my domain.

I'm trying to publish LDAP access for a seperate server inside my network.

I know my LDAP is working correctly, since I have a secondary internet connection using a PIX and it can publish the LDAP port 389 from that internal server to the outside without a problem.

So it's definitely a configuration issue with ISA 2004.

It's strange, because the ISA is publishing my internal web and mail servers without a problem.

Thoughts?

Collapse -

This might help a bit more on your ISA 2004 issue...

http://www.isaserver.org/tutorials/Publishing_LDAP_Server_on_ISA.html

Please post back if you have any more problems or questions.
If this information is useful, please mark as helpful. Thanks.

Collapse -

ISA 2004 publish LDAP?

by mark_wessel In reply to This might help a bit mor ...

I have already tried all of the suggested ways of publishing ISA. Still not working.

Collapse -

ISA 2004 publish LDAP - fixed

by mark_wessel In reply to ISA 2004 publish LDAP?

I figured it out.

I had to tell the rule to make the requests appear to come from the ISA Server instead of the original client.

Cheers.

Back to Networks Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums