ADFS, LDAP, and SonicWall

jrm213jrm213 used Ask the Experts™

We have set up Active Directory Federation Services on our Domain Controller (WS2008r2). Our network sits behind a sonicwall. We have set up NAT in the sonicwall to pass all TCP/UDP traffic on port 389 to the DC. We can ldap_connect to the ADFS from php when we use the inernal 10.0.0.* address to perform the connection and it works, but if we try from outside of the building which has to go through the sonicwall we always get connection refused.

Has anyone run into this? It appears the Sonicwall is stopping the connection even though it should be passing it through.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

I'm in the same boat.  Help with this would be appreciated, since it's practically impossible to get through to Sonicwall support right now for some reason.
I finally got this working. Intstead of creating new access rules and NAT rules, we utilized an existing rule we found named "External LDAP". It was only accepting requests from specific IP-Addresses in a group, so we added our testing server to that group, and it worked. This rule was far down on the list and wasn't initially found as we were looking for rules that started with LDAP or Active...

I will post more info for you PRJ1970 when I get a chance, probably later this afternoon.
To be more specific about what we set up

1. Under "Network" in the sonicwall management, choose "Address Objects", go to the "Address Objects" section and add in the IP Address of your SP: (Name: Whatever, Zone: WAN, Type: Hoste, IP: your_sp_ip_address). Save that and go the "Address Groups" section and Find "External LDAP Clients", edit that group and add in the "Address Object" you just created. Save that.

2. Under "Network" go to "Services", go to the "Services" Section, Sort by Name, and Find "Active Directory (External)" and "Active Directory (Internal)". If they are not there you can create them. In our case they were both TCP, the port range for "External" was 4389 - 4389 and the port range for "Internal" was 389 - 389.

3. Under "Network" go to "NAT Policies" find "External LDAP Clients", it was first in our list. Edit that rule and make it like
Original Source: External LDAP Clients
Translated Source: Original
Original Destination: NAT Services
Translated Destination: "your ADFS server"
Original Service: Active Directory (External)
Translated Service: Active Directory (Internal)
Inbound Interface: Any
Outbound Interface: Any
Comment: External Access to ADFS, LDAP
Enable Nat Policy (checked)

Now you should be able to authenticate from your SP into your ADFS over port 4389 (if that is what you chose for your External Port Range).

I hope that helps you out PRJ1970
Blue Street TechLast Knight
Distinguished Expert 2018

Good find @jrm213jrm2132! Just select your comments (http:#a40042398http:#a40048213) as the answer to close this question.


The network admin and I just kept researching what could be wrong until we came up with the accepted solution which fixed the problem.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial