Symptom
When the Secure LDAP(S) server is defined in cdFMC via IP address, TLS negotiation fails.
When it is defined by FQDN seemingly it is trying to use the DNS service of CDO which obviously cannot resolve the IP address of the AD server as it is in an internal domain handled by the on-premises AD integrated DNS server.
Conditions
cdFMC connection to AD as LDAPS for REALM integration
Further Problem Description
Customer would like to use the Secure LDAP server to resolve FQDN.
- Although the CDO hosted cloud FMC can proxy LDAP and ISE pxGrid requests through the eStreamer tunnel to an on-premises LDAP or ISE server, it works only if the identity realm source server is defined by IP address.
- For us it seems that the reason of the issue is: cFMC can't proxy the DNS process for these on-premises servers, but tries to use the DNS service of CDO which is capable to resolve public (and maybe some CDO internal) domains only.
- So we think the solution could be: Force cFMC to somehow use the DNS service of the managed (on-premises) FTD to resolve the IP addresses for proxied LDAPS and ISE server connections.
