I am planning to turn on LDAPS on our XenMobile servers in the DMZ. We are being sure to open port 636 from our firewall to allow proper LDAPS traffic to flow. I understand there is one additional step to be performed prior to making the switch. I believe I need to export the root certificate from the AD DC and import it into the XenMobile server. We need to confirm this.

Instructions

1. First confirm that your AD DC is setup to accept LDAPS traffic on port 636 - Use Microsoft's guide for more information: https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-step-guide-to-setup-ldaps-on-windows-server/
2. Ensure port 636 can be accessed from the XenMobile nodes to your AD DC
3. The root certificate needs to be exported from the AD Domain Controller
4. The certificate must be in .PEM format and uploaded under XenMobile console's certificate page 
5. Modify LDAP settings on XenMobile to change ports from 389 to 636 and enable the "Use secure connection" option

• Note: if using a NetScaler as your gateway, make changes to your LDAP policy to reflect using LDAPS. This includes changing the port to 636 and also uploading the same root certificate from your AD DC to the NetScaler