XG constantly using LDAP (UDP 389) port to AD while LDAPS (port 636) is configured

Hi apijnappels,

Thank you for reaching out to the Community! 

Can you show us your AD configuration on your firewall? 

Thanks,

Here you go....

Have you done any wireshark? I'm curious about this because I would like to use encrypted LDAP traffic.

Do you guys use NTLM/Kerberos? 

I found in the latest version, that NTLM/Kerberos seems to ignore the configured Port and uses Port 389. There is a Bug ID for this: NC-66450 

Check if you are using NTLM/Kerberos = You can deactivate it, if not needed, by disable AD SSO for all zones in Device Access. 

Hi LuCar Toni

Deactivating AD SSO for all zones did indeed stop the traffic from appearing in the Authentication logs, the last log line is "AD SSO authentication disabled from device access".

Will that also completely disable STAS or will STAS and CAA still work?

AD SSO means the "UTM" Terms AD SSO. So NTLM/Kerberos. 

Device Access --> Client authentication is STAS / CAA etc. 

XG uses Kerberos/NTLM to auto join the AD and fetch NTLM/Kerberos information. This seems to be done regardless of the AD Server Port/SSL security settings. Hence the Bug ID is open and under investigation, why this occur. 

Thanks, so no trouble is to be expected with AD SSO disabled? Is it just for joining XG to the domain? Does it have any negative effects to leave it disabled?

AD SSO is Kerberos/NTLM. If you do not use those systems, you do not need AD SSO. 

i have just posted this:

18.0.4 MR-4: AD join issues!! - Discussions - XG Firewall - Sophos Community

using it for Sync user id with Heartbeat, any ETA on a fix? :-)