Users are unable to reset expired passwords when prompted by Active Directory. They may be prompted when using the Desktop Login client, or when connecting via a VPN.
On each DSS run the "Defender Security Server Configuration" tool, In the SSL Port field, type the port number that the Defender Security Server will use to establish a secure connection to the Active Directory. This port number will be used to communicate user password changes only between the Defender Security Server and the Active Directory. The default port number is 636.
For expired password changes to work, LDAPS needs to be configured Active Directory. To enable LDAPS in AD, certificates need to be setup.
Refer to Microsoft MSDN article "LDAP over SSL (LDAPS) Certificate" for more information on enabling LDAPS
Once you have this in place, you can test the LDAPS connection from the Defender Security Server Configuration | Test Connection tab | Test
You should see something similar to the following showing it is successful.
HH:MM:SS Authenticating to yourdomain.com:636 with administrator
HH:MM:SS Authenticated to directory @ yourdomain.com:636