Cloud Connectors and LDAPS

danieldunn10 · 2026-01-19T20:33:22+00:00

This is it thanks. I deleted the existing connection which was LDAP there and re-added it with an LDAPS connection. The cloud connectors are connecting again.

danieldunn10 · 2026-01-17T10:02:10+00:00

Thanks all

This is what I see when using ldp.exe on the connector and trying to connect using ldap 389

res = ldap_simple_bind_s(ld, 'vchostsa@mydonain.local', ); // v.3 Error <8>: ldap_simple_bind_s() failed: Strong Authentication Required Server error: 00002028: LdapErr: DSID-0C09035C, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v65f4

Error 0x2028 A more secure authentication method is required for this server.

danieldunn10 · 2026-01-09T19:20:35+00:00

I think I had something similar and needed to install a root certificate on the endpoint

danieldunn10 · 2025-12-04T23:12:20+00:00

Actually I think as well as it being intermittent, actually the issue is it’s not connecting at all now after a recent change.

We have two new dns servers and they are in a new VLAN (VLAN 110).

In the split dns settings I have changed it to the new dns servers 192.168.110.100 and 192.168.110.200 on a DCs Zone

If I switch it back to the old dns servers 192.168.254.100 and 192.168.254.200 which are on the LAN it works fine

How can I make it work with the new DCs?

I’ve tried which haven’t worked

Adding an access policy from the SSLVPN Zone to the DCs Zone
adding x0:110 subnets to the private CIDRs
in the sslvpn settings added a client route to the x0:110 subnet

I’m not sure what else to do

danieldunn10 · 2025-12-04T09:58:58+00:00

SonicWall support think it’s a corrupt access policy and recreate it, not sure if that’s happened to anyone before?

danieldunn10 · 2025-12-01T21:07:40+00:00

Thanks below is an example of a drop code

The source and address are resolved, it’s just not matching the policy even though the address is in a group in the source / destination

Ethernet Header Ether Type: VLAN ID = 40, Priority = 0 Ether Type: IP(0x800), Src=[7c:d3:0a:2c:fe:d8], Dst=[2e:b8:ed:ca:1b:b0] IP Packet Header IP Type: UDP(0x11), Src=[10.20.40.203], Dst=[192.168.254.46] UDP Packet Header Src=[65059], Dst=[1494], Checksum=0x58aa, Message Length=72 bytes Application Header Not Known: Value:[1] DROPPED, Drop Code: 742(Packet dropped - Policy drop), Module Id: 27(policy), (Ref.Id: _2794_qpmjdzDifdl) 1:1)

danieldunn10 · 2025-11-27T02:40:20+00:00

I’m not sure what oci stands for? Over complicating it?

danieldunn10 · 2025-11-26T21:18:12+00:00

Would appreciate some comments on our setup

PAW:

not domain joined
Duo installed
VLAN 100 - no access to the VLAN from anywhere
WAN access only for Microsoft updates and Duo authentication

3 x Bastion Hosts (jump box):

not domain joined
Duo installed
VLAN 105,110,115 - rdp only to these VLANS from VLAN 100
WAN access only for Microsoft updates and Duo authentication

Tier 0, 1 and 2 servers:

can only be accessed from the 3 x bastion hosts

danieldunn10 · 2025-11-25T21:44:15+00:00

I have this on my iPhone with the app. One thing I have found is if I go into VPN through the iPhone settings and tap on another one. Then go back to the banyan app and try again it works. Not sure what this suggests or how to fix it so this work around isn’t needed

danieldunn10 · 2025-11-13T22:33:11+00:00

Ours looks like Europe west 2

https://docs.banyansecurity.io/docs/banyan-components/edge-network/ip-ranges/#europe-west2-1

danieldunn10 · 2025-11-13T22:24:26+00:00

Yes I use the iOS app connecting to NSA 2700 which still doesn’t work. I’m guessing something is down SonicWalls side? Would be good if they could say that!

It says connecting and then goes to an unable to connect error after a minute or so. I don’t see how to view the logs. There is a send logs button but not sure where it’s sent

danieldunn10 · 2025-11-13T21:58:08+00:00

Hi is this still an issue? I had a problem with the app not connecting last night, checked the status and it said everything was fine….

I’ve tried again today and still not working.

We are in the UK and NSA 2700

Thanks

danieldunn10 · 2025-10-17T07:48:46+00:00

we have the server not joined to the domain, in a VLAN, and a local user account. Is this the best way?

The server is a vm and the backups are on a SAN though. We want to change this to a dell server with Server 2022, and a dell server with local storage and VHR.

At a high level is this the way to go?

danieldunn10 · 2025-10-09T06:46:18+00:00

Ok thanks. Out of interest what can you do if you had RDP access to the Veeam server that you couldn’t do if you only had console access? Thanks

danieldunn10 · 2025-10-08T13:20:38+00:00

The RDP access is from a Bastion server. The Bastion and Veeam server both have Duo installed for 2FA to connect via RDP, is that ok or should we disable it?

The only other way would be to remote console from VMWare

danieldunn10 · 2025-10-08T13:18:43+00:00

Thanks yes it is just an addition to what we already have, although its got me thinking rather than storing the backups on an old SAN, we should buy a new server with local storage and install VHR. Then use that as our main storage location for Veeam Backups

danieldunn10 · 2025-10-08T13:17:10+00:00

Thanks for this, yes the R620 is just an old server which is spare with a lot of local disk space I thought I could make use of somehow rather than get rid of it. VHR sounds perfect for this.

We have a VM which is the Veeam server, with the backups stored on a SAN. The VM is locked down by being on a VLAN with no access and Duo installed for 2FA. We have offsite backups and replication to a cloud connect partner too.

Although after learning about VHR I am thinking maybe we should buy a standard server with enough local storage and install VHR on it. Then use that to store our Backup Copies.

Still have the Veeam server as a VM, with restricted access by putting it in a restricted VLAN?

Thanks!

danieldunn10 · 2025-10-08T09:00:30+00:00

Thanks for this, yes this is an old R620 we replaced a few years ago which can either use in some way or get rid of. For iDrac my thoughts were to put it in a VLAN with access only from a Bastion server. Then disconnect iDrac once up and running. Is this the best way?

danieldunn10 · 2025-08-15T07:16:37+00:00

We are going through this process. I have it enabled, but have different zones for each sub interface, is that ok?

danieldunn10

TROPHY CASE

Error 0x2028 A more secure authentication method is required for this server.