How to configure firewall for external Active Directory / LDAP IDP with SaaS tenant
|Article:HOWTO80685|||||Created: 2012-10-17|||||Updated: 2014-02-21|||||Article URL http://www.symantec.com/docs/HOWTO80685|
In order to properly secure and protect an external Active Directory / LDAP identity provider (IDP) for Symantec App Center's SaaS offering, what steps are recommended/required?
- On the local firewall, one of the following TCP ports must be forwarded to either the AD/LDAP server or load balancer to allow incoming external requests:
- TCP port 389 for LDAP (unencrypted)
- TCP port 636 for LDAPs (LDAP over TLS/SSL)
- TCP port 3268 for msft-gc (Microsoft Global Catalog, top tier LDAP service for AD forest data)
- TCP port 3269 for msft-gc-ssl (msft-gc over SSL)
- If LDAPs or msft-gc-ssl is chosen, Symantec's SaaS servers must trust the corresponding party. To ensure this trust exists, the applicable certificate authority (CA) chain must be applied to the servers' list of trusted CA's. If the AD/LDAP certificate does not report up to a known and trusted public root CA, the certificate chain can be uploaded to Symantec's Saas servers through the Symantec App Center Administrator Console. Go to "Settings > Certificates > LDAP Certificates".
- For further security, and to prevent communication from 3rd party sources, configure the firewall to only allow LDAP communication from the following IP addresses. These IP addresses represent the front end Symantec App Center servers in the cloud, which are responsible for making the outbound LDAP requests:
Current IP address until March 6th:
fe[1-2].appcenterhq.com: 184.108.40.206, 220.127.116.11
New IP addresses after March 6th:
achq[1-4].appcenterhq.com: 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52
You may make the local Firewall Policy change to allow access from all above 6 IP addresses. On or after March 6th, please remove IP addresses 184.108.40.206 and 220.127.116.11.
Article URL http://www.symantec.com/docs/HOWTO80685