I'm migrating to an XGS136 (SFOS 19.5.1 MR-1-Build278).
The old firewall published LDAPS on 2 DCs to a specific WAN server that needs to do LDAPS lookups for AD integration. The destination device was set to an FQDN object corresponding to the internal domain name ("domain.local"). The intent was to make the firewall do a lookup against internal DNS servers to obtain IP addresses of the DCs. (As you may know, a "domain.local" record is created automatically in internal DNS when an AD domain is created, and querying it returns all DCs in the domain.)
This rule has worked on the old firewall.
I'm now attempting to re-create this rule on the XGS using "Server Access Assistant (DNAT)". I can only choose IP objects as the internal server. I can't choose FQDN objects. However, after I create the rule I can edit it to change the destination to the FQDN object.
I can certainly create an IP list object of DCs and use that instead of the FQDN object, but using the FQDN makes coordination automatic if I stand up a new DC, decommission one, or change a DC's IP address. AD will always update the "domain.local" DNS record.
Is there any reason I shouldn't be doing this?
This thread was automatically locked due to age.
