The turnout to hosting email seems to be at its peak as most administrators prefer hosting their Email for the sake of all the benefits it offers. This new fashion has raised a security concern just like any other trend.
Did you know that your information between you and the hosting company are circulated in a clear text? Did you know that anyone can eavesdrop and get all your Email addresses and passwords with almost no effort? As worried you become now LDAPS is your solution.
By default LDAP traffic is insecurely transmitting information and only way to secure traffic is to encrypt the data (your email address and password) sent through the wire to the server and back to the client. LDAPS is a lightweight Directory Access Protocol over a Secured Socket Layer (SSL)/ Transport Layer Security (TLS) that is used to secure data that is transmitted between the client and the Active Directory (AD) server. The advantage of this method is that you can configure LDAPS with NO cost because the communication only, and always, occurs between the same two servers. So the certificate you’ll be using can be created as long as you’re able to have a certificate authority (CA) server on premise and make the hosting company to trust it. How is done then? I will explain;
1.Like any other certificate you must create a certificate request following the instructions in this document http://support.microsoft.com/kb/321051 , from this article when you asked to use FQDN in the SUBJECT line you need to enter it as follows:
“CN=Host_Name, DC=mydomain, DC=my_domain_extension”(keep the double quotes)
2.Once the Certificate Request (CR) is created, send it to the Certificate Authority (CA) to issue you a certificate. This CA need to be at the location where you will pull the LDAP information.
3.Install the certificate, received, on the hosting server using the command prompt following the instruction in the link above.
4.Make sure the certificate is installed in the personal computer container.
5.Make sure that you add the CA to the “Trusted Root Certification Authorities” > Certificates on your certificate once opened, which will result in an unencrypted traffic, a valid certificate must look like the below (notice also that it has a private key)
6.If you comply with the above then your server is LDAPS ready, otherwise you must troubleshoot and fix the problem.
7.When setting up the certificate on the hosting server and connecting to the CA you have to use the FQDN of the CA and if it is not resolving on the Internet (because the CA is internal or in a DMZ), then you need to add an entry in the hosts file to point to the correct IP address which will be NATTED to the CA.
8.If your Active Directory (AD) is not a global catalog you must use port 636 but if your AD is also a Global catalog (GC) then you can use port 3269.
To make sure that your certificate is configured properly you can use a Microsoft tool LDP.exe this tool will confirm that the connection using the certificate just created is performing correctly.
You can also use CertUtil command line with one of its switches to help you troubleshoot any certificate problems.
Need to protect your data while taking advantage from hosting benefits; visit our cloud service and let us know if you have any question.
You can email us to support@vircom.com or call us 514-845-8474 / 1.888.484.7266.
Leave a Comment