Change the Default Port for the Active Directory Server

If your Firebox is configured to authenticate users with an Active Directory (AD) authentication server, it connects to the Active Directory server on the standard LDAP port by default, which is TCP port 389. If the Active Directory servers that you add to your Firebox configuration are set up to be Active Directory global catalog servers, you can configure the Firebox to use the global catalog port—TCP port 3268—to connect to the Active Directory server.

A global catalog server is a domain controller that stores information about all objects in the forest. This enables the applications to search Active Directory, but not have to refer to specific domain controllers that store the requested data. If you have only one domain, Microsoft recommends that you configure all domain controllers as global catalog servers.

If the primary or secondary Active Directory server you use in your Firebox configuration is also configured as a global catalog server, you can change the port the device uses to connect to the Active Directory server to increase the speed of authentication requests. However, we do not recommend that you create additional Active Directory global catalog servers just to speed up authentication requests. The replication that occurs among multiple global catalog servers can use significant bandwidth on your network.

If you enable an additional Role on your AD Server to make it a Certificate Authority and configure the Server to use LDAPS (Secure LDAP, with certificates) the AD port is port 636 and the Global Category List port is 3269.

Configure the Firebox to Use the Global Catalog Port

To configure the device to use the global catalog port, from Fireware Web UI:

  1. Select Authentication > Servers.
    The Authentication Servers page appears.
  2. In the Server list, select Active Directory.
    The Active Directory page appears with the list of configured servers.
  3. Select a server and click Edit.
  4. In the Port text box, clear the contents and type 3268.
  5. Click Save.

To configure the device to use the global catalog port from Policy Manager:

  1. Click the Authentication Servers icon.
    Or, select Setup > Authentication > Authentication Servers.
    The Authentication Servers dialog box appears.
  2. Select the Active Directory tab.
  3. Select a server and click Edit.
  4. In the IP Address / DNS Name list, select the entry that has the port you want to change, and click Remove.
  5. Click Add.
    The Add IP / DNS Name dialog box appears.
  6. From the Choose Type drop-down list, select IP Address or DNS Name.
  7. In the Value text box, type the IP address or DNS name of the Active Directory server.
  8. In the Port text box, type 3268.
  9. Click OK.
  10. Save the Configuration File.

Find Out if Your Active Directory Server is Configured as a Global Catalog Server

  1. Select Start > Administrative Tools > Active Directory Sites and Services.
  2. Expand the Sites tree and find the name of your Active Directory server.
  3. Right-click NTDS Settings for your Active Directory server and select Properties.

If the Global Catalog check box is selected, the Active Directory server is configured as a global catalog server.

Related Topics

About Third-Party Authentication Servers

Configure Active Directory Authentication