diff --git a/box.js b/box.js
index 624388fae..95d88fb34 100755
--- a/box.js
+++ b/box.js
@@ -36,6 +36,7 @@ async function startServers() {
     await server.start(); // do this first since it also inits the database
     await proxyAuth.start();
     await ldap.start();
+    await ldap.startExposed();
     await dockerProxy.start();
 }
 
diff --git a/setup/start/cloudron-firewall.sh b/setup/start/cloudron-firewall.sh
index 838fd0d9e..b73a33082 100755
--- a/setup/start/cloudron-firewall.sh
+++ b/setup/start/cloudron-firewall.sh
@@ -36,9 +36,9 @@ if allowed_udp_ports=$(node -e "console.log(JSON.parse(fs.readFileSync('${ports_
     done
 fi
 
-# ldap server
-iptables -t filter -A CLOUDRON -p tcp -m multiport --dports 636 -j ACCEPT
-iptables -A CLOUDRON_RATELIMIT -p tcp --syn --dport 636 -m connlimit --connlimit-above 5000 -j CLOUDRON_RATELIMIT_LOG
+# ldap server we expose 3004 and also redirect from standard ldaps port 636
+iptables -t filter -A CLOUDRON -p tcp -m multiport --dports 636,3004 -j ACCEPT
+iptables -t nat -I PREROUTING -p tcp --dport 636 -j REDIRECT --to-ports 3004
 
 # turn and stun service
 iptables -t filter -A CLOUDRON -p tcp -m multiport --dports 3478,5349 -j ACCEPT
@@ -80,6 +80,11 @@ for port in 22 202; do
     iptables -A CLOUDRON_RATELIMIT -p tcp --dport ${port} -m state --state NEW -m recent --update --name "public-${port}" --seconds 10 --hitcount 5 -j CLOUDRON_RATELIMIT_LOG
 done
 
+# ldaps
+for port in 636 3004; do
+    iptables -A CLOUDRON_RATELIMIT -p tcp --syn --dport ${port} -m connlimit --connlimit-above 5000 -j CLOUDRON_RATELIMIT_LOG
+done
+
 # docker translates (dnat) 25, 587, 993, 4190 in the PREROUTING step
 for port in 2525 4190 9993; do
     iptables -A CLOUDRON_RATELIMIT -p tcp --syn ! -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m connlimit --connlimit-above 50 -j CLOUDRON_RATELIMIT_LOG
diff --git a/src/constants.js b/src/constants.js
index 54e5519aa..6e1c02bd4 100644
--- a/src/constants.js
+++ b/src/constants.js
@@ -29,8 +29,7 @@ exports = module.exports = {
     AUTHWALL_PORT: 3001,
     LDAP_PORT: 3002,
     DOCKER_PROXY_PORT: 3003,
-
-    LDAPS_PORT: 636, // exposed LDAP with TLS
+    LDAPS_PORT: 3004, // exposed LDAP with TLS rerouting in iptables, exposed port is 636
 
     NGINX_DEFAULT_CONFIG_FILE_NAME: 'default.conf',