
First Buy or Renewal
Were we able to help you with this tutorial? Then consider us for the next Renewal. š
We sell licenses for all Sophos Firewalls worldwide!
How to integrate Sophos Firewall with Active Directory
This article shows how to add an Active Directory server to Sophos Firewall. This guide requires a Sophos Firewall with the SFOS operating system.
Preparation
Log on to your Sophos Firewall (SFOS) as an administrator and go to the Authentication
> Servers
page from the menu. Then click the blue Add
button to add a new server. On this page we will now go through the settings in 12 steps and make the necessary entries.
Also note the following graphic with the steps drawn so that you can follow the instructions more easily:

1. Server type
There are several authentication servers that you can add:
- LDAP Server
- Active Directory
- Radius Server
- TACACS+ Server
- eDirectory
In this tutorial we explain the most used method: Active Directory
.
2. Server name
You are completely free to choose the server name. We often use the hostname of the server.
3. Server IP/domain
Enter the IP address of the domain controller here.
4. Port
The port depends on the connection security, which you have to set in point 8 below. For example, if you select SSL/TLS there, the port will automatically change to 636. We have tested the following combinations and they should work:
- Port: 389 (LDAP) ā Connection security: Simple (Defined in step 8)
- Port: 636 (LDAPS) ā Connection security: SSL / TSL (Defined in step 8)
5. NetBIOS domain
To find out the NetBIOS domain, use the Active Directory Users and Computers program. If you type āActiveā on the AD from the Windows Start menu in the search window, the entry should already appear.

Now right-click on the domain name and select Properties
. In my example the domain name would be avanet.local
. In the upper screenshot you see the domain name framed in red. The NetBIOS domain in our case would be AVANET.
6. ADS user name
Specify a user who has the right to read the AD structure. In production environments we recommend to use a service user and not the domain administrator. For this documentation we have only used the Administrator for test purposes, because he surely has enough permissions.
7. Password
Add here the password for the ADS user specified under step 6.
8. Connection security
As described in step 4, the connection security is related to the port. By default, the Simple
option works in most cases. If your domain controller is set differently, you will know what to do here. The following options are possible:
- Simple
- SSL/TLS
- STARTTLS
9. Display name attribute
This item allows you to specify how the usernames should be displayed on your XG Firewall. You can control this via the so-called āDisplay name attributeā. The following attributes are available:
- displayName
- sAMAccountName
- userPrincipalName
- name
To find out what formatting is hidden behind these terms, you can use the Active Directory Users and Computers program again. To be able to see all the attributes, you must have activated the view for the Advanced Features.

In the picture gallery below you can take a closer look at the attributes listed above using our example.
10. Email address attribute
By default, and in most cases, the mail
attribute is used here. This field is optional and only relevant if your XG Firewall is also used as an email server via āMail Transfer Agentā (MTA). The Sophos Firewall should know the email addresses of the users, which is very helpful for the āEmail Quarantine Reportā.
On the AD, of course, the email addresses of the users must also be stored in their profile. To check this, switch back to the program Active Directory Users and Computers and call the properties of a user. There should now appear an entry in the attribute list under mail
.

11. Domain name
You can also find out the name of your domain using the Active Directory Users and Computers program. The screenshot below shows where you can see the name. In our example this would be avanet.local.

12. Search queries
In this field you enter the path to the OU in which the users and groups are located. If you want to search the whole structure, you can enter the following: DC=avanet,DC=local
. If in our example you only want to specify the users in the OU āAvanet > Userā, the entry would look like this: OU=User,OU=Avanet,DC=avanet,DC=local
.
You can also look up the composition of this path yourself on the Active Directory. Open the Active Directory user and computer program again and call the properties of your Organizational Unit (OU). Search for it in the attributes for distinguishedName
. In the following screenshot you can see how we did this in the OU āUserā.

Test connection
To test your configuration, which you created with the last 12 steps, click on the button Test connection
. If the above values in your form have been filled in correctly and Sophos Firewall can reach the AD, the following message should appear after a few seconds:
