Summary
This article describes how to secure Lightweight Directory Access Protocol (LDAP) queries originating from Access Gateway Enterprise Edition to the LDAP directory.
Requirements
• The traffic originating from the Access Gateway to the LDAP directory in use must be secured
• The directory server must have a server certificate installed in case LDAPS is used
• The subject field of the server certificate must contain the Fully Qualified Domain Name (FQDN) of the LDAP directory server
• The Access Gateway device must have the corresponding root certificate installed to verify the server certificate residing on the LDAP directory
Procedure
You can choose between two methods to configure the Access Gateway for secure traffic to the LDAP server:
• SSL (also known as LDAPS)
• Transport Layer Security (TLS), which is referred to as extended TLS
Both methods are inherently different and should be implemented upon careful consideration.
The information below outlines the configuration steps conducted on the Access Gateway for both modes.
1. In the GUI, go to SSL VPN > Policies > Authentication. Click the Servers tab. If you have no LDAP authentication server configured, consult CTX112724 – Citrix Access Gateway Enterprise Edition Administrator's Guide.
2. In the Server tab, double-click your server configured for LDAP authentication. The following window opens:
3. In the bottom part of the configuration window (highlighted) the user is presented with Security Type. Select the SSL radio button.
4. Set the Port setting to the LDAPS port in use for your LDAP directory. Generally, port 636 is used for secure LDAP connections.
In an Active Directory environment, port 3269 can be used to secure the traffic to the global catalog server.
Check the LDAP directory in use to determine which port is configured for LDAPS. Microsoft provides a tool called LDP installed by default on Windows Server 2003 Active Directory controllers. With this tool, a connection can be made to the LDAP server using the FQDN. It indicates if the connection is successful. Follow the instructions under the "Verifying an LDAPS connection" section of Microsoft Knowledge Base article 321051 for more information.
5. The Access Gateway must trust the server certificate installed on the LDAP directory. For this to be successful, the root certificate must be installed in the Configure VPN Virtual Server window under the Certificates tab.
6. Highlight the root certificate the Access Gateway should trust and click Add as CA >. Refer to the following screen shot:
Command line interface (CLI) commands to configure LDAPS:
• Use the following command to configure LDAP authentication to use SSL:
set authentication ldapAction <name> -serverPort 636 -secType SSL
• Use the following command to bind the root certificate to the SSL VPN virtual server:
bind SSL vserver <name> -certkeyName Root_cert –CA
Using TLS:
This method of securing the traffic is outlined in Request for Comments (RFC) 2830.
The client and the server negotiate to encrypt the traffic by utilizing the clear text port (389 in most LDAP deployments) for LDAP queries.
In an Active Directory environment, port 3268 is used for clear text communication to the global catalog server. Port 3268 can also be used to utilize the extended TLS functionality.
Note: The extended TLS functionality for the global catalog server is only supported in Windows Server 2003 environments. This functionality is not implemented in Windows 2000 Server platforms.
Sequence of events:
1. The client initiates the startTLS operation by sending the following object identifier:
OID 1.3.6.1.4.1.1466.20037
2. The server (in case the feature is implemented in your LDAP directory) honors this request by sending back the extended response containing the same OID.
3. The server sends back an extended response with the status code of “success” if it is willing and able to negotiate TLS.
Configuration procedure on the Access Gateway:
1. Open the Configure Authentication Server window as outlined above in the Using SSL section. The following window opens:
2. Select the TLS radio button.
3. Leave the port the same as used for PLAINTEXT authentication.
CLI commands to configure the startTLS functionality:
• Use the following command to configure LDAP authentication to use the extended tTLS functionality
set authentication ldapAction <name> -secType TLS
More Information
Extended TLS is an implementation that intends to encrypt the traffic from a client to a service. No validation of the server (LDAP directory) is conducted on the client. If this is your intent, use LDAPS.
The following two statements are true for the extended TLS functionality:
• No server certificate has to be installed on the LDAP server
• No root certificate has to be installed on the Access Gateway device
Also, Windows 2000 Server does not support the TLS extended request functionality. Refer to Microsoft Knowledge Base article 321051 for more information.
