LDAPS through Meraki

Looker44
Here to help

LDAPS through Meraki

We cannot LDAPS through our mx250. I have port 636 open to my specific IP (also tried any). I can internally ldap (389) and ldaps (636) to server A. when i open 389, I can ldap (389) from external to internal, but ldaps(636) is an immediate fail.

 

is there a filter i can set on meraki to monitor port 636 from ip x.x.x.x? or is there a second step i need to do to complete ldaps to internal server.

 

I am using MS ldp.exe to test connections

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal

You can perform a packet capture.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Packet_Capture_Overvi...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

#1 issue when investigating these is Windows Firewall.  Try turning it off and testing again.

 

Otherwise as @alemabrahao says, perform a packet capture.

Looker44
Here to help

turning off Windows Firewall did not help

Looker44
Here to help

thanks, ran a packet capture, but i cant read Klingon...

 

Looker44
Here to help

PCAP shows that port forwarding is working but for whatever reason the LAN device (windows server)  is attempting to close the TCP session after successful TCP 3-way handshake and subsequent TLS Client and Server Hellos.

alemabrahao
Kind of a big deal
Kind of a big deal

Try disabling  the Windows firewall.
 
 
 
I don't know if it makes sense, but you can try this configuration.

 

alemabrahao_0-1694617809163.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels