How to Integrate Sophos Firewall with Active Directory
Applicable Version: 15.01.0 onwards
Overview
Sophos Firewall’s (SF) Active Directory integration feature allows the device to map users and groups from AD to SF for authentication. This enables the device to easily identify network users. SF communicates with Windows Directory Services to authenticate users based on groups, domains and organizational units.
When an AD user logs in to SF for the first time, the user is automatically added to SF as a member of the default group. If the AD group of the user exists in SF, the user is added as a member of that group instead. In other words, SF maps user-group membership. If the user already exists in SF, SF checks the expiry date of both the user account and membership in the group. If either of them are expired, the user is logged in with new profile parameters.
Sophos Firewall’s (SF) Active Directory integration feature allows the device to map users and groups from AD to SF for authentication. This enables the device to easily identify network users. SF communicates with Windows Directory Services to authenticate users based on groups, domains and organizational units.
When an AD user logs in to SF for the first time, the user is automatically added to SF as a member of the default group. If the AD group of the user exists in SF, the user is added as a member of that group instead. In other words, SF maps user-group membership. If the user already exists in SF, SF checks the expiry date of both the user account and membership in the group. If either of them are expired, the user is logged in with new profile parameters.
ADS Authentication Process
All users have to be authenticated by the device before accessing any resources controlled by the device.
This authentication mechanism allows users to access using their Windows authentication credentials (login/user name and password) in the Windows-based directory services.
The User sends the login request/user authentication request to SF. SF, in turn, authenticates the user by checking the request against the directory objects that were created during integration with AD. Once the user is authenticated, the device communicates with AD to get additional authorization data (such as the user name, the password, the user groups, and the expiry date) as it was configured to; this is used to control access.
Note:
If AD is down, the authentication request returns a 'Wrong username/password' message.
All users have to be authenticated by the device before accessing any resources controlled by the device.
This authentication mechanism allows users to access using their Windows authentication credentials (login/user name and password) in the Windows-based directory services.
The User sends the login request/user authentication request to SF. SF, in turn, authenticates the user by checking the request against the directory objects that were created during integration with AD. Once the user is authenticated, the device communicates with AD to get additional authorization data (such as the user name, the password, the user groups, and the expiry date) as it was configured to; this is used to control access.
Note:
If AD is down, the authentication request returns a 'Wrong username/password' message.
Scenario
Integrate SF with Active Directory (AD).
Integrate SF with Active Directory (AD).
Prerequisites
Please determine the following AD configuration parameters before you begin integration.
-
The NetBIOS Domain name
The FQDN Domain name
The Search DN
The Active Directory Server IP address
The Administrator Username and Password (Active Directory Domain)
The IP address of SF Interface connected to Active Directory server
Please determine the following AD configuration parameters before you begin integration.
- The NetBIOS Domain name
The FQDN Domain name
The Search DN
The Active Directory Server IP address
The Administrator Username and Password (Active Directory Domain)
The IP address of SF Interface connected to Active Directory server
Configuration
You must be logged in to the Admin Console as an administrator with Read-Write permissions for the relevant feature(s).
You can integrate SF with AD by following the steps below.
You must be logged in to the Admin Console as an administrator with Read-Write permissions for the relevant feature(s).
You can integrate SF with AD by following the steps below.
Step 1: Configure Active Directory
-
Go to Objects > Assets > Authentication Server and click Add to configure the Active Directory.
Select Server Type as Active Directory.
Enter the Server Name; in this example, we put Sophos.
Enter the Server IP/Domain as 172.16.16.50 and Port as 389 of the AD Server. The port is set to 389 by default.
Enter the NetBIOS Domain Name of the Server, and the Username and Password to access the Server.
Select the Connection Security:
-
-
Simple: The communication of user credentials between the Device and the AD Server is done in plain text.
SSL: This is the most common method used to secure connections. The Port will change from 389 (LDAPClosed) to 636 (ldaps = LDAP over SSL). Enable Validate Server Certificate if required.
TLS: This is another method used to secure connections. Here, the Device establishes a secure connection with the Server over the same port (389). Enable Validate Server Certificate if required.
Enter the Display Name Attribute and Email Address Attribute of the Server.
-
Enter the Domain Name (which will be added to the Search Query) and the respective Search Queries.
Click Test Connection to check if SF is able to connect to the Active Directory. If SF is able to connect, click Save to save the configuration.
- Go to Objects > Assets > Authentication Server and click Add to configure the Active Directory.
Select Server Type as Active Directory.
Enter the Server Name; in this example, we put Sophos.
Enter the Server IP/Domain as 172.16.16.50 and Port as 389 of the AD Server. The port is set to 389 by default.
Enter the NetBIOS Domain Name of the Server, and the Username and Password to access the Server.
Select the Connection Security:
-
- Simple: The communication of user credentials between the Device and the AD Server is done in plain text.
SSL: This is the most common method used to secure connections. The Port will change from 389 (LDAPClosed) to 636 (ldaps = LDAP over SSL). Enable Validate Server Certificate if required.
TLS: This is another method used to secure connections. Here, the Device establishes a secure connection with the Server over the same port (389). Enable Validate Server Certificate if required.
Enter the Display Name Attribute and Email Address Attribute of the Server.
- Enter the Domain Name (which will be added to the Search Query) and the respective Search Queries.
Click Test Connection to check if SF is able to connect to the Active Directory. If SF is able to connect, click Save to save the configuration.
Step 2: Select AD as the Primary Authentication Method
Go to System > System Services > Authentication. Under Firewall Authentication, select Active Directory as the primary authentication server.
Click Apply to save configuration.
Note:
Local database is selected by default. Make sure that the Active Directory server is selected and is the first one in the Selected Authentication Server list.
Go to System > System Services > Authentication. Under Firewall Authentication, select Active Directory as the primary authentication server.
Click Apply to save configuration.
Note:
Local database is selected by default. Make sure that the Active Directory server is selected and is the first one in the Selected Authentication Server list.
Step 3: Import AD Groups
Instead of creating AD groups again, you can import AD groups into SF using the Import Wizard. Refer to the article How to Import Active Directory OUs and Groups for detailed instructions.
Instead of creating AD groups again, you can import AD groups into SF using the Import Wizard. Refer to the article How to Import Active Directory OUs and Groups for detailed instructions.
Determine the NetBIOS Name, FQDN and Search DN
You can determine the NetBIOS Name, FQDN and Search DN by following the steps given below.
- Log in to your AD as a user with Administrative privileges.
Go to Start > Programs > Administrative Tools > Active Directory Users and Computers.
Right Click the required domain and go to the Properties tab.
- Search DN is based on the FQDN. In this scenario, FQDN is sophos.com and the Search DN will be DC=sophos, DC=com
You can determine the NetBIOS Name, FQDN and Search DN by following the steps given below.
- Log in to your AD as a user with Administrative privileges.
Go to Start > Programs > Administrative Tools > Active Directory Users and Computers.
Right Click the required domain and go to the Properties tab.
- Search DN is based on the FQDN. In this scenario, FQDN is sophos.com and the Search DN will be DC=sophos, DC=com