ADManager Plus Deployment Scenarios

• Enable SSL for Secure Communication over the Internet
• Configuring ADManager Plus to Securely Function in a De-militarized Zone (DMZ)
• Open-up selective Firewall Ports to facilitate access over the Internet
• Protocols and Ports Used

Enable SSL for Secure Communication over the Internet:

You will need to enable SSL for enhanced security and secure communication by ADManager Plus over the internet. To enable SSL on ADManager Plus kindly follow the below steps:

• Logon to the "ADManager Plus Admin Login" by providing proper admin credentials.
• Click "Admin" tab ==> "Connection".
• Select "Enable SSL Port [https]"
• Click "Save" to save the settings and restart ADManager Plus.

This will enable SSL, and a secure communication by ADManager Plus over the internet is possible. A valid SSL certificate is to be applied for enabling SSL.

Configuring ADManager Plus to Securely Function in a De-militarized Zone (DMZ)

For ADManager Plus to be installed in the DMZ (Demilitarized Zone), Port "389" (to communicate with the LDAP Protocol) and Port "135" (to communicate with RPC) are to be opened up in the Firewall along with other dynamic ports.

Section: "Find all Dynamic Ports" highlights the steps for identifying dynamic ports that needs to be opened up in the firewall. We strongly recommend you to run ADManager Plus application in Secure Socket Layer (SSL) mode for a DMZ Server Installation. Check the above section on how to enable SSL.

Open -up selective Firewall Ports to facilitate access over the Internet :

(i) When ADManager Plus is installed on your local area network with the URL accessible across internet :

• Open the port on which ADManager Plus is running. By default ADManager Plus runs on port 8080 and it is configurable.

(ii) When ADManager Plus is installed in the DMZ, open the following ports in the Firewall:

• Port "389"to communicate with the LDAP Protocol.
• Port "135"to communicate with RPC.
• Find "Dynamic Ports" for other dynamic ports that need to be opened in the Firewall. These will be used for communication between AD and ADManager Plus.

 

Protocols and Ports Used

ADManager Plus uses Windows ADSI (Active Directory Service Interfaces) to interact with the Active Directory, which in turn uses LDAP (for querying and modifying directory services running over TCP/IP) protocol on port   389.

Right now, ADManager Plus communicates with the Active Directory using normal LDAP connection. And we have plans to introduce secured LDAP connections.

Finding / Identifying Dynamic Ports:

ADManager Plus uses several other ports which are dynamic. It is required by an administrator to identify all available dynamic ports and open them up in the Firewall.   In-order to open-up dynamic firewall ports one can follow the below steps.

Step 1: Open a command prompt in the Domain Controller.

Step 2: Type the following command and execute it in the command prompt.

portqry -n "<Your_Domain_Controller_Name>" -e 135 -l resultPorts.txt

In case you use a different port for RPC, use the port number in which your RPC is running by replacing 135 in the above command.

Step 3: After executing the above command, open the "resultPorts.txt" from where the command is executed.

Step 4: Find for all the "_tcp" in the "resultPorts.txt" (Ex : ncacn_ip_tcp:100.190.1.2[1142])

Step 5 : The value in the Square Brackets[ ] are the ports which needs to be opened. Make a note of these ports.   (Ex: in the above result, 1142 is the port that needs to be opened).

Step 6: Continue with the search until the file ends and open all the identified ports.