How to integrate Sophos Firewall with Active Directory

This article shows how to add an Active Directory server to Sophos Firewall. This guide requires a Sophos Firewall with the SFOS operating system.

Preparation

Log on to your Sophos Firewall (SFOS) as an administrator and go to the Authentication > Servers page from the menu. Then click the blue Add button to add a new server. On this page we will now go through the settings in 12 steps and make the necessary entries.

Also note the following graphic with the steps drawn so that you can follow the instructions more easily:

Sophos Authentication Server Konfiguration

1. Server type

There are several authentication servers that you can add:

  • LDAP Server
  • Active Directory
  • Radius Server
  • TACACS+ Server
  • eDirectory

In this tutorial we explain the most used method: Active Directory.

2. Server name

You are completely free to choose the server name. We often use the hostname of the server.

3. Server IP/domain

Enter the IP address of the domain controller here.

4. Port

The port depends on the connection security, which you have to set in point 8 below. For example, if you select SSL/TLS there, the port will automatically change to 636. We have tested the following combinations and they should work:

  • Port: 389 (LDAP) → Connection security: Simple (Defined in step 8)
  • Port: 636 (LDAPS) → Connection security: SSL / TSL (Defined in step 8)

5. NetBIOS domain

To find out the NetBIOS domain, use the Active Directory Users and Computers program. If you type “Active” on the AD from the Windows Start menu in the search window, the entry should already appear.

Find out the NetBIOS name on the Active Directory.

Now right-click on the domain name and select Properties. In my example the domain name would be avanet.local. In the upper screenshot you see the domain name framed in red. The NetBIOS domain in our case would be AVANET.

6. ADS user name

Specify a user who has the right to read the AD structure. In production environments we recommend to use a service user and not the domain administrator. For this documentation we have only used the Administrator for test purposes, because he surely has enough permissions.

7. Password

Add here the password for the ADS user specified under step 6.

8. Connection security

As described in step 4, the connection security is related to the port. By default, the Simple option works in most cases. If your domain controller is set differently, you will know what to do here. The following options are possible:

  • Simple
  • SSL/TLS
  • STARTTLS

9. Display name attribute

This item allows you to specify how the usernames should be displayed on your XG Firewall. You can control this via the so-called “Display name attribute”. The following attributes are available:

  • displayName
  • sAMAccountName
  • userPrincipalName
  • name

To find out what formatting is hidden behind these terms, you can use the Active Directory Users and Computers program again. To be able to see all the attributes, you must have activated the view for the Advanced Features.

Enable Advanced Features view.

In the picture gallery below you can take a closer look at the attributes listed above using our example.

10. Email address attribute

By default, and in most cases, the mail attribute is used here. This field is optional and only relevant if your XG Firewall is also used as an email server via “Mail Transfer Agent” (MTA). The Sophos Firewall should know the email addresses of the users, which is very helpful for the “Email Quarantine Report”.

On the AD, of course, the email addresses of the users must also be stored in their profile. To check this, switch back to the program Active Directory Users and Computers and call the properties of a user. There should now appear an entry in the attribute list under mail.

Properties of a AD user with the attribute 'mail'.

11. Domain name

You can also find out the name of your domain using the Active Directory Users and Computers program. The screenshot below shows where you can see the name. In our example this would be avanet.local.

Show domain name on the Active Directory.

12. Search queries

In this field you enter the path to the OU in which the users and groups are located. If you want to search the whole structure, you can enter the following: DC=avanet,DC=local. If in our example you only want to specify the users in the OU “Avanet > User”, the entry would look like this: OU=User,OU=Avanet,DC=avanet,DC=local.

You can also look up the composition of this path yourself on the Active Directory. Open the Active Directory user and computer program again and call the properties of your Organizational Unit (OU). Search for it in the attributes for distinguishedName. In the following screenshot you can see how we did this in the OU “User”.

Display the attribute 'distinguishedName' in the properties of the Organizational Unit.

Test connection

To test your configuration, which you created with the last 12 steps, click on the button Test connection. If the above values in your form have been filled in correctly and Sophos Firewall can reach the AD, the following message should appear after a few seconds:

Success message that all information was filled in correctly and that Sophos Firewall was able to reach AD.