Question:

In order to properly secure and protect an external Active Directory / LDAP identity provider (IDP) for Symantec App Center's SaaS offering, what steps are recommended/required?
  

Answer:

1. On the local firewall, one of the following TCP ports must be forwarded to either the AD/LDAP server or load balancer to allow incoming external requests:

• TCP port 389 for LDAP (unencrypted)
        
• TCP port 636 for LDAPs (LDAP over TLS/SSL)
    
• TCP port 3268 for msft-gc (Microsoft Global Catalog, top tier LDAP service for AD forest data)
    
• TCP port 3269 for msft-gc-ssl (msft-gc over SSL)

2. If LDAPs or msft-gc-ssl is chosen, Symantec's SaaS servers must trust the corresponding party. To ensure this trust exists, the applicable certificate authority (CA) chain must be applied to the servers' list of trusted CA's. If the AD/LDAP certificate does not report up to a known and trusted public root CA, the certificate chain must be provided to the Symantec App Center Operations team to be applied to the SaaS servers.
     
   Contact either Product Management, Sales or Support to provide your comany's AD/LDAP certificate chain. The root CA's certificate, and any applicable intermediate CA certificates, are to be provided and must be in .PEM format. The operations team is to provide a turn-around within two business days.

3. For further security, and to prevent communication from 3rd party sources, configure the firewall to only allow LDAP communication from the following IP addresses. These IP addresses represent the front end Symantec App Center servers in the cloud, which are responsible for making the outbound LDAP requests:

• 50.18.58.220
    
• 184.169.153.242