In order to properly secure and protect an external Active Directory / LDAP identity provider (IDP) for Symantec Mobility:Suite's SaaS offering, what steps are recommended/required?
- On the local firewall, one of the following TCP ports must be forwarded to either the AD/LDAP server or load balancer to allow incoming external requests:
- TCP port 389 for LDAP (unencrypted)
- TCP port 636 for LDAPs (LDAP over TLS/SSL
- TCP port 3268 for msft-gc (Microsoft Global Catalog, top tier LDAP service for AD forest data)
- TCP port 3269 for msft-gc-ssl (msft-gc over SSL)
- If LDAPs or msft-gc-ssl is chosen, Symantec's SaaS servers must trust the corresponding party. To ensure this trust exists, the applicable certificate authority (CA) chain must be applied to the servers' list of trusted CA's. If the AD/LDAP certificate does not report up to a known and trusted public root CA, the certificate chain can be uploaded to Symantec's SaaS servers through the Symantec Mobility: Suite Administrator Console. Go to "Settings > Certificates > LDAP Certificates".
For further security, and to prevent communication from 3rd party sources, configure the firewall to only allow LDAP communication from the following IP addresses. These IP addresses represent the Front End (FE) Symantec Mobility: Suite servers in the cloud, which are responsible for making the outbound LDAP requests:
- achq[1-4].appcenterhq.com: 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199
NOTE: If you had previously added acceptions to your firewall, ensure that these changes are in place, and please remove the previously required IP addresses; 188.8.131.52 and 184.108.40.206.