Just a heads up – I spoke w/ TAC who then spoke with the authors of the bulletin. They agreed to update the article to better reflect the new timeline posted by Microsoft and add clarification that LDAP functionality will not in fact break in March due to the patch expected in that month. The update will contain something along the lins of:
“This [Microsoft] security update is not expected to become mandatory until fall 2020. However, it's recommended that you update your Cisco Collaboration deployment to use Secure LDAP as soon as possible. This will both secure your LDAP connection and will also ensure that services remain up and running when the security update becomes mandatory.”
- Daniel Pagan
From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Daniel Pagan
Sent: Tuesday, February 11, 2020 2:36 PM
To: Lelio Fulgenzi <lelio@uoguelph.ca>; Matthew Loraditch <MLoraditch@heliontechnologies.com>
Cc: voyp list, cisco-voip (cisco-voip@puck.nether.net) <cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] [EXT] Re: Field Notice from Cisco making Secure LDAP mandatory
Whoops – sent the email a bit prematurely…
Here’s a link to that VMware article with a recent update mentioning that defaults will not be changing in March.
https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere-channel-binding-signing-adv190023.html It seems the Cisco article is a bit behind and needs to be updated. Hopefully this buys everyone some time, especially for those supporting a number of environments.
- Daniel Pagan
From: Daniel Pagan
Sent: Tuesday, February 11, 2020 2:33 PM
To: Lelio Fulgenzi <lelio@uoguelph.ca<mailto:lelio@uoguelph.ca>>; Matthew Loraditch <MLoraditch@heliontechnologies.com<mailto:MLoraditch@heliontechnologies.com>>
Cc: voyp list, cisco-voip (cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>) <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
Subject: RE: [EXT] Re: [cisco-voip] Field Notice from Cisco making Secure LDAP mandatory
It does not appear Microsoft will be enforcing LDAP over TLS with this upcoming patch. While the original plan was indeed to tighten this up, it seems this requirement is being delayed until after Q2 of the year.
The advisory was updated February 4th and shows:
Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing. The March 2020 updates do not make changes to LDAP signing or channel binding policies or their registry equivalent on new or existing domain controllers.
A further future monthly update, anticipated for release the second half of calendar year 2020, will enable LDAP signing and channel binding on domain controllers configured with default values for those settings.
I found that VMware updated their advisory to reflect this recent change to Microsoft’s timeline two days later:
“Update (2/6/2020): On February 4, 2020 Microsoft changed their guidance for the March 2020 Windows Updates to indicate that the defaults will NOT be changing in that update.”
From: cisco-voip <cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>> On Behalf Of Lelio Fulgenzi
Sent: Sunday, February 9, 2020 6:05 PM
To: Matthew Loraditch <MLoraditch@heliontechnologies.com<mailto:MLoraditch@heliontechnologies.com>>
Cc: voyp list, cisco-voip (cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>) <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
Subject: [EXT] Re: [cisco-voip] Field Notice from Cisco making Secure LDAP mandatory
I believe we had to load two certs.
And, after loading certs, restart tomcat.
Sent from my iPhone
On Feb 9, 2020, at 5:23 PM, Matthew Loraditch <MLoraditch@heliontechnologies.com<mailto:MLoraditch@heliontechnologies.com>> wrote:
Interesting. Our root cert is and has been loaded, but I’m still using just the IPs so normally that would make the handshake fail.
Get Outlook for iOS<
https://aka.ms/o0ukef>
Matthew Loraditch?
Sr. Network Engineer
p: 443.541.1518<tel:443.541.1518>
w: www.heliontechnologies.com<
http://www.heliontechnologies.com/>
|
e: MLoraditch@heliontechnologies.com<mailto:MLoraditch@heliontechnologies.com>
<image367180.png><
http://www.heliontechnologies.com/>
<image755198.png><
https://facebook.com/heliontech>
<image389775.png><
https://twitter.com/heliontech>
<image921900.png><
https://www.linkedin.com/company/helion-technologies>
<image157220.jpg>
________________________________
From: Lelio Fulgenzi <lelio@uoguelph.ca<mailto:lelio@uoguelph.ca>>
Sent: Sunday, February 9, 2020 5:15:40 PM
To: Matthew Loraditch <MLoraditch@heliontechnologies.com<mailto:MLoraditch@heliontechnologies.com>>
Cc: James Buchanan <james.buchanan2@gmail.com<mailto:james.buchanan2@gmail.com>>; voyp list, cisco-voip (cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>) <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
Subject: Re: [cisco-voip] Field Notice from Cisco making Secure LDAP mandatory
[EXTERNAL]
I couldn’t get secure ldap to work without loading the certificates from the AD servers. I also had more luck using the global catalog ports.
Sent from my iPhone
On Feb 9, 2020, at 5:05 PM, Matthew Loraditch <MLoraditch@heliontechnologies.com<mailto:MLoraditch@heliontechnologies.com>> wrote:
I was wondering if they were going to post anything as it’s very unclear if ldap over tls was the fix.
Apparently (and amen) it is. Did it on our office system last week to see if it would work without any certificate needs. It just worked and during a save it will instantly tell you if it worked or not.
Outside of the most regimented environments you should be able to just make the change. If it fails talk to your AD team as they would likely have something blocked or disabled.
Get Outlook for iOS<
https://aka.ms/o0ukef>
Matthew Loraditch?
Sr. Network Engineer
p: 443.541.1518<tel:443.541.1518>
w: www.heliontechnologies.com<
http://www.heliontechnologies.com/>
|
e: MLoraditch@heliontechnologies.com<mailto:MLoraditch@heliontechnologies.com>
<image502755.png><
http://www.heliontechnologies.com/>
<image552534.png><
https://facebook.com/heliontech>
<image068119.png><
https://twitter.com/heliontech>
<image315640.png><
https://www.linkedin.com/company/helion-technologies>
<image132003.jpg>
________________________________
From: cisco-voip <cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>> on behalf of James Buchanan <james.buchanan2@gmail.com<mailto:james.buchanan2@gmail.com>>
Sent: Sunday, February 9, 2020 4:57:40 PM
To: voyp list, cisco-voip (cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>) <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
Subject: [cisco-voip] Field Notice from Cisco making Secure LDAP mandatory
[EXTERNAL]
Hello folks,
I know you all needed some more work. I sure did! So here you are!
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/trouble/12_5_1/fieldNotice/cucm_b_fn-secure-ldap-mandatory-ad.html I'm interested in any early thoughts on other integrations--vCenter, ISE, VPN, TACACS, etc. I assume it applies across the board.
Thanks,
James
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
