Microsoft announce that "LDAP Channel Binding and LDAP Signing Requirements" is scheduled coming Windows update on March 2020.
In an upcoming release in March 2020, Microsoft will provide a Windows update that by default will change the LDAP channel binding and LDAP signing to more secure configurations
Customers using an unencrypted Active Directory/LDAP configuration will need to make changes to the corresponding settings within Firemon.
TCP 646 port needs to be opened & listening at on the Active Directory Server. The Certificate Authority root certificate for LDAPS is required to be imported into the Firemon Application Server.
Root Certificate Installation
Acquire the root certificate from within the organization. SFTP the certificate to the Application Server. Place the certificate within the home directory of the admin user. Login via CLI and run:
fmos pki import-ca <name-of-the.cert>
A message should appear, stating the certificate was successfully imported. Reboot the Application Server:
Active Directory & LDAP Configuration
Once the root certificate is installed, make the changes to the Active Directory/LDAP configuration as shown in the screenshot above. Before making changes, it is recommended to confirm these changes with the Administrator of the Active Directory. This configuration details default settings.
Navigate to Administration -> Access -> Authentication Servers -> <Name of configured Active Directory/LDAP object>. Once editing the configuration, change Port to 646.
Change Encryption to 'TLS/SSL.'
Click Test in the bottom left-hand corner. Enter a username and password of an Active Directory account.
If the configuration is successful, the test will come back with all green checkmarks.
Close this window, press Save in the bottom-left. Configuration is complete.
Article is closed for comments.