Overview


This article describes the steps to integrate Sophos Firewall with Active Directory (AD) for users authentication and access control.


When an AD user login to Sophos Firewall for the first time, the user is automatically added as a member of the default group. If the AD group of the user exists in Sophos Firewall, then the user is added as a member of that group.


All users have to be authenticated by Sophos Firewall before accessing any resources controlled by Sophos Firewall. The user sends the login request to Sophos Firewall. Sophos Firewall, in turn, authenticates the user by verifying the request against the directory objects that is created during the integration with AD. Once the authentication succeeded, Sophos firewall communicates with AD to get additional authorization data for access control.


The following sections are covered:


⦁    Determining NetBIOS, Domain Name and Search Queries

⦁    Adding AD to Sophos Firewall

⦁    Setting AD as the primary authentication method

⦁    Importing AD groups

⦁    Related information


Applies to the following Sophos products and versions


Sophos Firewall


Determining NetBIOS, Domain Name and Search Queries


From Active Directory, go to Start > Administrative Tools > Active Directory Users and Computers. Right click the required domain and go to the Properties tab.



Adding AD to Sophos Firewall


Go to Authentication > Servers and click Add to configure the Active Directory.



Setting AD as the primary authentication method


Go to Authentication > Services, under Firewall Authentication Methods, select the recently added AD server as the primary authentication server



Local server is selected as primary by default. Make sure that the recently added AD server is the first in the Selected Authentication Server list.


Importing AD groups


You can import AD groups in Sophos Firewall using the Import Group Wizard Help. Refer to Sophos Firewall: How to import Active Directory OUs and groups for detailed instructions. 


https://community.sophos.com/kb/en-us/123158


Note:


⦁    If the Active Directory is down, the authentication request returns a 'Wrong username/password' message.


⦁    When multiple AD servers are configured, XG performs a validation against the AD servers in the order configured in the GUI. Please pay attention to the order in the GUI and the trust relationship amongst the ADs.