Hello, first post. I run McAfee DLP 9.0, managed in ePolicy Orchestrator 4.5.0 (Build 753)
Problem : when i try to populate a User Assignment Group in DLP 9.0 i get the following error : "Active Directory is unreachable"
1) I understand that DLP uses LDAP to perform look-ups against Active Directory (DC). We use Windows Server 2003.
2) It seems LDAP trys to contact the Forest Root DC to access Active Directory
3) I can connect and bind to my Forest Root Domain Controller (AD) using LDAP over Port 389 using LDAP.exe (Microsoft Product) i.e not being blocked by a firewall
4) I have also checked that my Domain Admin account has 'Read' access to the Forest Root Domain Controller
Thus, I can create lots of great rules with DLP , I just cannot apply them to any users ! Can anyone help? I have read the KB Articles re this problem. I have not upgraded from 3.0 to 9.0. It was a fresh install of 9.0. I have re-installed the product about 3 times now and I still cannot access my Domain Controller.
I have attached an extract from the server.log file. If it helps, the forest root is called "Internal". The log file states that "forest: Internal" - failed contacting forest". Even though I can ping it, telnet to it, resolve it via DNS and bind to it with my credentials via LDAP. Why on earth cannot DLP contact it? Using the same credentials.
Also, epolicyorchestrator (EPO) can access the local domain controller and thus I can fire off mcafee agents to users and computers within Active Directory. It seems EPO uses a different protocol to browse the Domain Environment. DLP seems to use LDAP and will only refer to your Forest Root DC for a referal to your local DC. I have tried to tell DLP to look at my local DC but it just says it cannot be found. In fact, I don't think it trys as when you launch DLP it recognises the forest root name and will 'only' search the forest root DCs.
Well, this is driving me mad so any help will be greatly appreciated.
Check using Admin tools if you can connect to AD using the same ID you logged in! I don't think adding a LDAP server (AD server) is required in ePO, but give this a try anyway!
- Amiya Bisoi
Ok. I have resolved this issue.
Host DLP uses the following 2 ports to communicate with the Forest Root Domain Controller to reach Active Directory via Sites & Services
1) LDAP - Port 389
2) Kerberos - Port 88
My Forest Root Domain Controller was in a different Country and being blocked by a Firewall. Although EPO could communicate, Host DLP could not. I used Wireshark to see the LDAP requests being generated and then the Kerberos requests. BOTH these ports need to be open.
I can now Apply DLP Policy to users.