VMware Horizon Community
milagrofrost
Contributor
Contributor
Jump to solution

Using LDAPS (port 636) with VMware View Server

I've been tasked with something that seems impossible/unsupported.

VMware View Server uses port 389 for LDAP.  My task is to make View use port 636 instead (LDAP over SSL).  The charge is that the replicated VMware View servers are passing non-encrypted data between each other on port 389.

So far in my quest, I've made no progress in making this happen.  I  was however able to test that manual connections can now be made (with ADSI Edit) with port SSL port 636 to other replicated View servers.  Problem is that View seems to have hard coded to use port 389 and can't be switched over to use LDAPS.

There are instructions for doing something like this in vCenter (http://www.vstable.com/2012/01/27/vcenter-5-active-directory-web-services-error-1209/) (Virtual Security Lab: Architecture - Blog - proSauce), but nothing related to View surfaces in a Google search.

Anyone have a yea or neigh if this can be done?

EDIT:  Moved to the correct community.

Reply
0 Kudos
1 Solution

Accepted Solutions
markbenson
VMware Employee
VMware Employee
Jump to solution

It's not easy being tasked with something impossible!

View Connection Servers have an instance of AD LDS and replication between servers uses AD LDS replication. This is a secure replication mechanism using LDAP, Replication RPC and Kerberos and is secure without needing to set up LDAP over SSL on 636.

The articles you refer to are actually about setting an unused LDAPS port number relating to access from Active Directory Web Services with vCenter Server to get rid of a harmless Event. This doesn't change anything to do with LDAP replication between servers. View prevents remote access to Active Directory Web Services anyway with a specific firewall rule so remote users have no access to it.

The only reason why you may want to use LDAPS with AD LDS is if you support LDAP simple binds. The use of SSL would mean that simple bind passwords were not sent in the clear. In the case of View, LDAP simple binds are not enabled anyway.

In summary, what you are trying to do is unnecessary.

Mark

View solution in original post

Reply
0 Kudos
1 Reply
markbenson
VMware Employee
VMware Employee
Jump to solution

It's not easy being tasked with something impossible!

View Connection Servers have an instance of AD LDS and replication between servers uses AD LDS replication. This is a secure replication mechanism using LDAP, Replication RPC and Kerberos and is secure without needing to set up LDAP over SSL on 636.

The articles you refer to are actually about setting an unused LDAPS port number relating to access from Active Directory Web Services with vCenter Server to get rid of a harmless Event. This doesn't change anything to do with LDAP replication between servers. View prevents remote access to Active Directory Web Services anyway with a specific firewall rule so remote users have no access to it.

The only reason why you may want to use LDAPS with AD LDS is if you support LDAP simple binds. The use of SSL would mean that simple bind passwords were not sent in the clear. In the case of View, LDAP simple binds are not enabled anyway.

In summary, what you are trying to do is unnecessary.

Mark

Reply
0 Kudos