I think opening port 389, even restricted by IP, over the internet is a non-starter. That means that the logon credentials are being sent over the internet in the clear. Make sure you insist on the SSL variant, although I would note that I personally wouldn't even be happy about that. I would much prefer some kind of VPN setup directly to the box, if possible.
________________________________ From: Don Ely [mailto:don....@gmail.com] Sent: Friday, November 20, 2009 2:27 PM To: NT System Admin Issues Subject: Re: Cisco Question create an ACL allowing only access from their IP address to your NAT'd address. Also, I'd put an SSL cert on your AD servers and use 636 instead... On Fri, Nov 20, 2009 at 11:25 AM, Chyka, Robert <bch...@medaille.edu> wrote: Hello, We have a Library Catalog server that is hosted by the company that we subscribe to their databases. It is a server dedicated to our school, but hosted in their data center. They need to have LDAP access from their outsourced box to our internal AD Controllers for LDAP authentication for our users to the database server. Our AD servers sit behind a ASA Firewall. How would I set up the rule to allow port 389 to be open for the IP address of the outsourced server? Any help is greatly appreciated. Bob ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~