Setting the proper Windows Server Firewall rules is critical step to ensure a secure and operational Lightweight Directory Access Protocol (LDAP) connection utilizing SSL/TLS or StartTLS (LDAPS). This guide will show you how to configure an LDAPS (SSL/TLS or StartTLS) connection using port rules for 636/TCP and set needed border firewall IP addresses.

To prevent MITM (man in the middle) attacks, verify you are using port 636/TCP. Port 636 communicates over a secure connection utilizing SSL/TLS or StartTLS. Using the non-secure Port 389 allows plain text communication, putting you at risk of someone obtaining your login credentials.

Create a 636 TCP Firewall Rule

To allow our external connections to your Active Directory we need to setup an LDAPS connection for your Windows Server Firewall. This LDAPS connection is established by uses port rule 636/TCP in your server firewall, preventing MITM (man in the middle) attacks.

All examples and instructions are for Windows Server 2016, steps can be reproduced on Windows Server 2008r2 and newer releases up to 2016.
  1. In the Start menu, search for "firewall" and click Windows Firewall with Advanced Security
  2. Once the application opens, select Inbound Rules, and then under Actions click New Rule...
  3. Select Port, and then click Next
  4. Select TCP and Specific local ports:. Enter 636 as the port, and then click Next
  5. Ensure that Domain, Private and Public are checked, if so click Next
  6. Create a name and description for the new firewall rule that was created, once complete click Finish
    • Repeat to step 2-6, but instead of selecting "Inbound Rules" select Outbound Rules

LDAP Border Firewall

To allow a connection IP addresses need to be added to your servers border controlling firewall (ie. network perimeter firewall, demilitarized zone network firewall, edge network firewall). Add following IP addresses on LDAPS/636 to your Border Firewall to allow a connections:

The process of adding an IP to this firewall can vary device to device, we recommend referencing your firewall/device documentation.

Related LDAP Resources and Guides

LDAP Setup Overview

LDAP Server & User Details

LDAP Authentication and LDAP User Import

24/7 Live Support

Our technical support team is also available 24/7/365 via phone, chat, email or by opening a ticket through your account to help with any LDAP questions related to our services. Contact us anytime. We're always here. 24/7/365.