Steps Overview (for Remote Access VPN + LDAP Realm on CDO/SSC)

1. Realm Configuration

Go to:

Integrations → Other Integrations → Realms

• Create a new Realm.

• Define your LDAP or LDAPS server(s).

• Map user/group attributes as needed.

2. FTD as LDAP Proxy

Yes, you are absolutely correct — you must set the FTD as the proxy if the LDAP servers are internal/private.

Why?

• CDO/SSC is cloud-based and has no direct reach into your internal network.

• So, FTD must act as the LDAP proxy to communicate with your internal AD/LDAP servers on behalf of CDO.

How to do this:

• In the realm setup, enable “Use FTD as proxy”.

• The FTD device will make the LDAPS connection to your server and relay the result to CDO.

Using LDAPS (LDAP over SSL/TLS)

3. How Does FTD Resolve Internal Server Names?

When the FTD is acting as the LDAP proxy:

• It must resolve the internal LDAP server FQDN you configured in the realm.

• That means:

  • FTD must have internal DNS servers configured in Platform Settings → DNS.

  • These DNS servers must be able to resolve your LDAP server’s name (e.g., dc1.internal.local).

🧠 Tip: If you're seeing name resolution failures or timeouts:

• SSH into the FTD (or use diagnostic CLI) and test:

  bash

  CopyEdit

  > ping dc1.internal.local > nslookup dc1.internal.local

If these fail, double-check your FTD DNS settings.

4. LDAPS Certificate Validation

• If you're using LDAPS (port 636), your FTD must trust the LDAP server’s certificate.

• You may need to upload the LDAP server’s root CA into:

  • Objects → PKI → Trusted CA Certificates

• If you skip this step, LDAPS will fail with a trust error.

🧪 Testing the Setup

Once the Realm is created and the FTD proxy is configured:

• Go to Objects → Realms → Your Realm → Test.

• Run a test bind or user lookup to confirm resolution + authentication.