This article shows how to add an Active Directory server to the Sophos Firewall. This tutorial assumes a Sophos Firewall with the SFOS operating system.
Log in to your Sophos Firewall (SFOS) as an administrator and use the menu to switch to the page
Server. Then click on the blue button
Addto add a new server. On this page we will now look at 12 steps through the settings and make the necessary entries.
Also note the following graphic with the steps drawn in so that you can follow the instructions more easily:
1. server type
There are several authentication servers that you can add:
- LDAP server
- Active Directory
- Radius Server
- TACACS+ Server
In this guide we explain the most commonly used method:
2. server name
You are completely free to choose the server name. We often use the hostname of the server here.
3. server IP/domain
Enter the IP address of the domain controller here.
The port depends on the connection security, which you have to set further down in point 8. If you select e.g. SSL/TLS, the port automatically changes to 636. We have tested the following combinations and they would work:
- Port: 389 (LDAP) → Connection security: Simple (To be defined under point 8)
- Port: 636 (LDAPS) → Connection security: SSL / TSL (To be defined under point 8)
5. NetBIOS domain
To find out the NetBIOS domain, you can use the program Active Directory users and computers can help you. If you enter "Active" in the search window on the AD via the Windows Start menu, the entry should already appear.
Now click with the right mouse button on the domain name and select
Features. In my example the domain name would be
avanet.local. In the screenshot above you can see the domain name framed in red. The NetBIOS domain in our case would be AVANET.
6. ADS username
Specify a user here who has the right to read out the AD structure. In productive environments we recommend to use a service user here and not the domain administrator. For this documentation only for testing purposes we have used the Administrator is used, since it surely has enough permissions.
Add the password for the ADS user specified in point 6.
8. connection security
As described in point 4, the connection security is related to the port. By default the option
Simple in most cases. If your domain controller is set differently, you surely know what to do here yourself. The following options are possible:
9. show name attribute
Under this item you can determine how the user names should be displayed on your XG Firewall. You can control this via the so-called "Display-Name attribute". The following attributes are available:
To find out what formatting is behind these terms, you can again use the Active Directory users and computers program to help you. So that you can see all the attributes, you have to change the view for the Advanced features have activated.
10. email address attribute
By default and in most cases, the attribute
On the AD, of course, the email addresses of the users must be stored in their profile. To check this, switch back to the program Active Directory users and computers and call the properties of a user. There you should now see in the attribute list under
11. domain name
You can also change the name of your domain using the program Active Directory users and computers to find out. In the screenshot below you can see where you can read the name. In our example this would be avanet.local.
12. search queries
In this field you specify the path to the OU where the users and groups are located. If you want to search the whole structure, you can enter the following:
DC=avanet,DC=local. In our example, if you only want to specify the users in the "Avanet > User" OU, the entry would look like this:
You can also check the composition of this path yourself on the Active Directory. To do this, open the Active Directory users and computers program and call the properties of your Organizational Unit (OU). Then search in the attributes for
distinguishedName. In the following screenshot you can see how we did it in the "User" OU.
To test the configuration you have created in the last 12 steps, click on the button
Test connection. If the above values are filled in correctly in your form and Sophos Firewall can reach the AD, the following message should appear after a few seconds: