Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 769 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Standard service definitions missing UDP

RanX

Hello to the community,

I post this issue, because you might eiter find it helpful, when in similar situation
and hopefully someone in charge reads it and  this will be fixed in further releases.

I came across this with two services, SIP and LDAP.
When migrating our UTM to XG, I created the same rules I had on the UTM for the XG.
But my PBX (virtual phone appliance) and my Exchange, both sitting in the DMZ would not work properly that way.
After poking around a long time, I found out the reason was as simple as ugly:

Both protocols are usually listed as TCP and UDP (LDAP  389 and SIP 5060)
If you have a look at the UTM you will find both of them predefined as TCP and UDP.
If you have a look at the XG you will find both of them predefined only as TCP.

No need to explain, why most of my rules using these service definitions will fail !
Yuck !

And nicely nice you can't edit these standard definitions.
So you end up with something which ist not exactly named "LDAP" but e.g "LDAP ALL"
And you have to swap this in all your rules, where these services apply.

While talking about the handling of service definitions, let's not forget another ugly downside:
When you go to the service definition menu, you have a search function, yes.
But you can only search for the name of the definition.
You cannot search for the ports covered by definitions.
Thus you can create a definition for the same port with different names for several times, whithout even noticing it !
Oh boys ! This was possible and extremly useful!! on the UTM; why isn't it available on the XG ?

Regards
RanX



This thread was automatically locked due to age.
Parents
  • 0

    Thinking about udp vs tcp. Why do you use LDAP as UDP? Is there a reason? 

    Essentially it is based on the philospy, to lock standard object or not. Partners / customers often like to edit predefined objects, some do not like to do that. 

    For partners it is much easier to understand, that the object is always the same, standard objects are not change by anybody, therefore you know, what you are working with. 

    I know from past experience i worked a lot on UTMs, looking into issues, which was based on "the standard object was edited" any nobody noticed it. From my perspective i like more to have a predefined set, which is not changed in any way. So i can look at HTTPs and know, what services are included. And not some object, which a customer "edited" (in good faith). 

  • 0 in reply to LuCar Toni
    LuCar Toni said:
    Thinking about udp vs tcp. Why do you use LDAP as UDP? Is there a reason? 

    Ask Microsoft.
    Our Exchange sits in the DMZ and whenever a client (Outlook) connects, it sends a request to the DC in the main network by LDAP UDP.
    So if I don't allow it, Outlook wlll make no connection but sit there with a password request forever.

    LuCar Toni said:
    I know from past experience i worked a lot on UTMs, looking into issues, which was based on "the standard object was edited" any nobody noticed it. From my perspective i like more to have a predefined set, which is not changed in any way. So i can look at HTTPs and know, what services are included. And not some object, which a customer "edited" (in good faith). 

    Which is perfectly allright, as long as the definitions cover what they should cover.
    On the UTM, the both named above included UDP (like they should, rearding official documentation --> https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers)
    On the XG they don't, which to my understanding is not correct and should be adjusted

  • 0 in reply to RanX

    I never noticed an issue with LDAP as a TCP only service. Which is odd, as i know, that most likely LDAP is a TCP protocol. Why does your Outlook do a LDAP connection in the first place? I never heard of a outlook to Exchange LDAP connection. 

  • 0 in reply to LuCar Toni

    It's not Outlook itself.
    When the client connects to Exchange, the Exchange server verifies it's credentials against the DC by LDAP.
    So it's an LDAP connection between Exchange --> DC.

  • 0 in reply to RanX

    That makes more sense to me. And your Exchange server is using LDAP via UDP to the DC? Still odd to me. Regarding the microsoft documentation, this should be done by TCP. 

  • 0 in reply to LuCar Toni

    This leads me to the assumption, the MS documentaion is incomplete.
    As soon, as only LDAP TCP is allowed between Exchange and DCs, the Outlook clients aren't able to authenticate successfully.

    And well, standard LDAP definition on the UTM covers both, TCP and UDP.
    I think, when it was done in the past, whoever did it, knew why ...

    Plus the fact, that the above linked list, also names LDAP with TCP and UDP.
    So I suggest to file both definitions (SIP and LDAP) have to be fixed in the forthcoming updates.

Reply
  • 0 in reply to LuCar Toni

    This leads me to the assumption, the MS documentaion is incomplete.
    As soon, as only LDAP TCP is allowed between Exchange and DCs, the Outlook clients aren't able to authenticate successfully.

    And well, standard LDAP definition on the UTM covers both, TCP and UDP.
    I think, when it was done in the past, whoever did it, knew why ...

    Plus the fact, that the above linked list, also names LDAP with TCP and UDP.
    So I suggest to file both definitions (SIP and LDAP) have to be fixed in the forthcoming updates.

Children
No Data