Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 14996 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LDAPS + NAT + Certificate

Wilfried Wolf

Hi there,

I want to publish our internal LDAP server (it's a novel one residing on let's say ldap.internal, corectly speaking ldaps) to the rest of the world. So I did a NAT-Forwording as described elsewhere and everything works fine except for the certificate, because with NAT the internal certificate (for ldap.internal) is presented, which a) is not trusted by the public and b) does not match the hostname.

I know the possibility for Web-Server forwarding (Webserver Protection -> Web Application Firewall), but I guess, this will not work for LDAPS.

Is there another possibility to provide a different Certificate to the "outer world" for NATing LDAPS through UTM9?

 

Best regards and thanks for your help in advance...

 

Willi



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Wilfried Wolf

    Upps. That was new to me. I don't see any other option with the utm.

    Have a look at Kemp ( https://freeloadbalancer.com/ ). There should be the ldaps offloading feature.

    With public names internally you should use split dns (UTM configured as forwarder for your internal DNS, internal LDAP as static DNS entry) to avoid connections from internal via NAT over the public ip to the internal server.

    Good luck!

    CS

     

    Sophos Certified Architect (UTM + XG)

Children
  • 0 in reply to CS

    CS said:

    Have a look at Kemp ( https://freeloadbalancer.com/ ). There should be the ldaps offloading feature

    Well, this seems to be a bit too big for our case...

    CS said:

    With public names internally you should use split dns (UTM configured as forwarder for your internal DNS, internal LDAP as static DNS entry) to avoid connections from internal via NAT over the public ip to the internal server.

    I do not quite understand. The idea was to use external DNS to point to internal ldap, for example ldap-i.example.com -> 192.168.209.48. Then give the LDAP our wildcard-certificate. Make ldap.example.com a CNAME to sophos external address and use NAT as before (World <-> ldap.example.com <-> ldap-i.example.com).

    Since the wild card certificate now matches both (ldap and ldap-i) it should be valid for both.

    So I just have to access ldap-i from inside, which should not use NAT then.

    Well anyhow, the problem now is to convince the novell groupwise LDAP to use our wildcard certificate, which we have not succeeded yet.

    Thanks a lot for your help

     

    Willi

Unfiltered HTML