Hi All

We have a requirement to allow password changes to our internal AD accounts from a specific tool from outside of our network perimeter via Secure LDAP. We want to offer a single internet connection point, that has multiple Domain Controllers sitting behind it. That connection point will only allow connections from the IP address of our partner. ADFS or other technologies are not in the picture - it has to be LDAPS.

We have :-

- pwchange.company.com (internet host)
- F5 termination point in our network
- group of AD DCs inside the LAN

For the example, lets call the DCs, DC1.xyz.local and DC2.xyz.local.

We don't have an internal CA, and don't want to create one.

I'm aware that we need traffic routing to the DCs on Port 636.

I've read some Q articles, but am struggling to understand what certificate types we need to buy/create, and what should be on them.

Has anyone set this kind of thing up, and can offer some guidance?

Thanks in advance for any help.