Software Advisory: Secure LDAP Mandatory for Active Directory Connections
This advisory covers all LDAP connections to Active Directory from the following Cisco Collaboration applications:
-
Cisco Unified Communications Manager
-
IM and Presence Service
-
Cisco Unity Connection
-
Cisco Expressway
-
Cisco Meeting Server
-
Cisco Meeting Management
-
Cisco Jabber
-
Cisco Unified Intelligence Center
-
Cisco Unified Attendant Console Advanced
What's Changing
Microsoft is currently updating security requirements for LDAP connections to Active Directory. After this update completes, Secure LDAP (LDAPS) will become mandatory for all LDAP connections to Active Directory from the specified Cisco Collaboration applications. After the update, LDAP connections to Active Directory from these applications will not work unless Secure LDAP is configured.
This security update is not expected to become mandatory until the second half of the calendar year 2020. However, it's recommended that you update the specified Cisco Collaboration applications to use Secure LDAP as soon as possible. This will both secure your LDAP connection and will also ensure that services remain up and running when the security update becomes mandatory.
Why this Change is Needed
The existing default settings have a vulnerability that may expose Active Directory domain controllers to an elevation of privileges, and man-in-the-middle attacks. The Secure LDAP updates harden the connection to Active Directory’s existing LDAP channel binding and LDAP signing mechanisms, making the system more secure. For more detailed information, refer to the Microsoft Security Advisory ADV190023:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
What configuration updates are required for Active Directory?
Microsoft is expected to roll out a security patch that updates Active Directory servers automatically once the patch is installed. Make sure to apply security patches promptly to Active Directory servers.
Prior to the security patch, administrators can edit Active Directory settings manually to secure the LDAP channel binding and LDAP signing mechanisms. The following three Active Directory registry settings must be changed from the current default setting of 0 to a new setting of 2. This will happen automatically when the patch is rolled out, but in the meantime, you must edit these manually:
-
ldapenforcechannelbinding
-
ldapserverintegrity
-
ldapclientintegrity
For additional configurations around LDAP signing, see https://support.microsoft.com/en-us/help/935834.
What configuration updates are required for Cisco Collaboration Applications?
Before the requirements become mandatory, administrators must update any existing LDAP configurations that are non-secure for the specified Cisco Collaboration applications so that secure LDAP (LDAPS) is configured. If you already have LDAPS configured for all connections to Active Directory, no additional configuration updates are required.
Refer to the below sections for procedures on how to secure existing LDAP connections that are non-secure. Note that each of these updates should be applied only where Active Directory is used as the LDAP server, and the current connection is non-secure. The updates do not apply to other LDAP servers. Complete each update that applies to your deployment.
Note |
As part of the TLS confiiguration, you must also make sure that the appropriate LDAP trust certificates loaded onto each Cisco Collaboration application. |
Cisco Unified Communications Manager Updates
For each LDAP directory sync:
-
From Cisco Unified CM Administration, go to
. -
Under LDAP Server Information, do the following for each LDAP server:
-
Make sure that the LDAP Port is set to the secure port of 636 or 3269.
-
Check the Use TLS check box.
-
-
Click Save.
Note
-
Make sure that you upload the appropriate certificates to the tomcat-trust store on Unified Communications Manager. The connection will work if you upload the LDAP server certificate or if you upload the root and/or applicable intermediate certificates of the certificate authority (CA) that signs the LDAP server certificate.
-
The changes will not be implemented until the next LDAP sync occurs.
-
If you are using LDAP Authentication:
-
From Cisco Unified CM Administration, go to
. -
Set the LDAP Port to the secure port of 636 or 3269.
-
Check the Use TLS check box.
-
Click Save.
If you have LDAP Search configured, or Service Profile configured with Directory Profile, edit the UC service that points to Active Directory:
-
From Cisco Unified CM Administration, choose
. -
Click Find and select an existing directory service that points to Active Directory.
-
Set the Port to 636 or 3269.
-
Set the Protocol to TLS.
-
Click Save.
-
Repeat this procedure for each UC Service that points to Active Directory.
IM and Presence Service Updates
If you are using XMPP contact search through a third-party LDAP server:
-
From Cisco Unified CM IM and Presence Administration, choose
. -
Click Find and select any Active Directory LDAP Servers.
-
Check the Enable SSL check box.
-
Click Save.
-
Repeat this process for each Active Directory LDAP Server.
For Centralized Deployments of the IM and Presence Service where you are syncing users from Active Directory, you must also apply the Unified Communications Manager secure LDAP configuration updates in the preceding section to the standalone Unified Communications Manager publisher node that is a part of the IM and Presence central cluster.
Cisco Unity Connection Updates
For Cisco Unity Connection LDAP syncs:
-
From Cisco Unity Connection Administration, choose:
. -
Under LDAP Server Information, set the following for any Active Directory connections:
-
Make sure that the LDAP Port is set to the secure port of 636 or 3269.
-
Check the Use TLS check box.
-
-
Click Save.
If you are using an LDAP directory to authenticate Unity Connections users:
-
From Cisco Unity Connection Administration, choose:
. -
Set the LDAP Port is set to a secure port of 636 or 3269.
-
Check the Use TLS check box.
-
Click Save.
If you have Unity Connection Unified Messaging deployed with the Exchange Server Search option:
-
From Cisco Unity Connection, choose
. -
Under Exchange Servers, set the Protocol Used to Communicate with Domain Controllers drop-down list box to Secure LDAP (LDAPS).
-
Check the Validate Certificates for Exchange Servers check box.
-
Click Save.
Cisco Expressway Updates
Edit the following LDAP settings on Expressway-C for Active Directory connections:
-
Choose
. -
Set the Port to 636.
-
Set Encryption to TLS.
-
Click Save.
Cisco Meeting Server Updates
If you are using Cisco Meeting Server, edit your LDAP configuration for Active Directory:
-
From the Cisco Meeting Server administration interface, choose
. -
Set the Port to 636 or 3269.
-
Check the Secure connection check box.
-
Click Submit.
-
Use SFTP to upload the certificate bundle of the LDAP server to the Cisco Meeting Server, and then run the following MMP commands:
-
Run the
tls ldap trust <certificate_bundle>
command to assign the LDAP certificate. -
Run the
tls ldap verify enable
command to enable certificate verification.
-
Cisco Meeting Management
If you are using Cisco Meeting Management with Active Directory, follow these steps to reconfigure the system to use secure LDAP (LDAPS).
-
From the Users page, select LDAP server.
-
Check the Use LDAP check box.
-
For the Protocol, select the LDAPS radio button.
-
For the Port, enter 636 or 3269.
-
Under Certificate, click the Upload the certificate for your LDAP server button.
-
Upload the LDAP certificate.
-
Save and Restart Meeting Management.
Cisco Unified Intelligence Center Updates
For Cisco Unified Contact Center Enterprise deployments, you must update the existing Active Directory configuration in Cisco Unified Intelligence Center:
-
From Cisco Unified Intelligence Center, choose Active Directory tab.
and select the -
Set the port to a secure port: 686 or 3269.
-
Check the Use SSL check box.
-
Click Save.
-
After saving the configuration, upload the LDAP server certificate:
-
Save the Active Directory certificate in Base-64 encoded X.509 (CER) file format.
-
In Cisco Unified OS Administration, upload the certificate. Name the certificate as tomcat-trust.
-
Run the
utils service restart Cisco Tomcat
CLI command followed by theutils service restart Intelligence Center Reporting Service
command.
-
Cisco Unified Attendant Console Advanced Updates
Pre-existing Cisco Unified Attendant Console Advanced installations, whose LDAP directory sync is tied to Active Directory (AD) or Active Directory Lightweight Directory Services (ADLDS) also require the following configuration modifications (the following changes are not service impacting) where LDAPS is not already configured:
-
Install the required certificate(s) on the Cisco Unified Attendant Console Advanced server. This is only required on the Primary/Publisher server.
-
Login to the primary Cisco Unified Attendant Console Advanced web administration (
https://<hostname or IP address>/webadmin/login.aspx
). -
Navigate to
. -
Click Select beside the directory source that is being used: Microsoft Active Directory or Active Directory Lightweight Directory Services.
-
Modify the Host Name or IP value (if required).
-
Set the Host Port to reflect either 636 or 3269 (based on the requirements of your directory source).
-
Enable Use SSL.
-
Click Save and then Test Connection to validate the connection details.
-
Navigate to
. -
Stop and Start the Cisco Unified Attendant LDAP Plug-in.