If your WatchGuard device is configured to authenticate users with an Active Directory (AD) authentication server, it connects to the Active Directory server on the standard LDAP port by default, which is TCP port 389. If the Active Directory servers that you add to your WatchGuard device configuration are set up to be Active Directory global catalog servers, you can tell the WatchGuard device to use the global catalog port—TCP port 3268—to connect to the Active Directory server.
A global catalog server is a domain controller that stores information about all objects in the forest. This enables the applications to search Active Directory, but not have to refer to specific domain controllers that store the requested data. If you have only one domain, Microsoft recommends that you configure all domain controllers as global catalog servers.
If the primary or secondary Active Directory server you use in your WatchGuard device configuration is also configured as a global catalog server, you can change the port the WatchGuard device uses to connect to the Active Directory server to increase the speed of authentication requests. However, we do not recommend that you create additional Active Directory global catalog servers just to speed up authentication requests. The replication that occurs among multiple global catalog servers can use significant bandwidth on your network.
If the Global Catalog check box is selected, the Active Directory server is configured to be a global catalog.
About Third-Party Authentication Servers
Configure Active Directory Authentication