Change the Default Port for the Active Directory Server

Xavier Mustin

Staff member
If your WatchGuard device is configured to authenticate users with an Active Directory (AD) authentication server, it connects to the Active Directory server on the standard LDAP port by default, which is TCP port 389. If the Active Directory servers that you add to your WatchGuard device configuration are set up to be Active Directory global catalog servers, you can tell the WatchGuard device to use the global catalog port—TCP port 3268—to connect to the Active Directory server.

A global catalog server is a domain controller that stores information about all objects in the forest. This enables the applications to search Active Directory, but not have to refer to specific domain controllers that store the requested data. If you have only one domain, Microsoft recommends that you configure all domain controllers as global catalog servers.
If the primary or secondary Active Directory server you use in your WatchGuard device configuration is also configured as a global catalog server, you can change the port the WatchGuard device uses to connect to the Active Directory server to increase the speed of authentication requests. However, we do not recommend that you create additional Active Directory global catalog servers just to speed up authentication requests. The replication that occurs among multiple global catalog servers can use significant bandwidth on your network.
Configure the XTM Device to Use the Global Catalog Port

  1. From Policy Manager, click
    Or, select Setup > Authentication > Authentication Servers.
    The Authentication Servers dialog box appears.
  2. Select the Active Directory tab.
  3. In the Port text box, clear the contents and type 3268.
  4. Click OK.
  5. Save the Configuration File.
Find Out if Your Active Directory Server is Configured as a Global Catalog Server

  1. Select Start > Administrative Tools > Active Directory Sites and Services.
  2. Expand the Sites tree and find the name of your Active Directory server.
  3. Right-click NTDS Settings for your Active Directory server and select Properties.
If the Global Catalog check box is selected, the Active Directory server is configured to be a global catalog.