Homepage » KB article » Sophos Firewall » Add Active Directory to Sophos Firewall (SFOS)

Add Active Directory to Sophos Firewall (SFOS)

This article shows how to add an Active Directory server to the Sophos Firewall. This tutorial assumes a Sophos Firewall with the SFOS operating system.

Preparation

Log in to your Sophos Firewall (SFOS) as an administrator and use the menu to switch to the page Authentication > Server. Then click on the blue button Addto add a new server. On this page we will now look at 12 steps through the settings and make the necessary entries.

Also note the following graphic with the steps drawn in so that you can follow the instructions more easily:

1. server type

There are several authentication servers that you can add:

  • LDAP server
  • Active Directory
  • Radius Server
  • TACACS+ Server
  • eDirectory

In this guide we explain the most commonly used method: Active Directory.

2. server name

You are completely free to choose the server name. We often use the hostname of the server here.

3. server IP/domain

Enter the IP address of the domain controller here.

4. port

The port depends on the connection security, which you have to set further down in point 8. If you select e.g. SSL/TLS, the port automatically changes to 636. We have tested the following combinations and they would work:

  • Port: 389 (LDAP) → Connection security: Simple (To be defined under point 8)
  • Port: 636 (LDAPS) → Connection security: SSL / TSL (To be defined under point 8)

5. NetBIOS domain

To find out the NetBIOS domain, you can use the program Active Directory users and computers can help you. If you enter "Active" in the search window on the AD via the Windows Start menu, the entry should already appear.

Now click with the right mouse button on the domain name and select Features. In my example the domain name would be avanet.local. In the screenshot above you can see the domain name framed in red. The NetBIOS domain in our case would be AVANET.

6. ADS username

Specify a user here who has the right to read out the AD structure. In productive environments we recommend to use a service user here and not the domain administrator. For this documentation only for testing purposes we have used the Administrator is used, since it surely has enough permissions.

7. password

Add the password for the ADS user specified in point 6.

8. connection security

As described in point 4, the connection security is related to the port. By default the option Simple in most cases. If your domain controller is set differently, you surely know what to do here yourself. The following options are possible:

  • Simple
  • SSL/TLS
  • STARTTLS

9. show name attribute

Under this item you can determine how the user names should be displayed on your XG Firewall. You can control this via the so-called "Display-Name attribute". The following attributes are available:

  • displayName
  • sAMAccountName
  • userPrincipalName
  • name

To find out what formatting is behind these terms, you can again use the Active Directory users and computers program to help you. So that you can see all the attributes, you have to change the view for the Advanced features have activated.

In the image gallery below you can take a closer look at the attributes listed above using our example.

10. email address attribute

By default and in most cases, the attribute mail is used. This field is optional and only relevant if your XG firewall is also used as email server via "Mail Transfer Agent" (MTA). For this, the XG should already know the email addresses of the users, which is very helpful e.g. for the "Email Quarantine Report".

On the AD, of course, the email addresses of the users must be stored in their profile. To check this, switch back to the program Active Directory users and computers and call the properties of a user. There you should now see in the attribute list under mail an entry will appear.

11. domain name

You can also change the name of your domain using the program Active Directory users and computers to find out. In the screenshot below you can see where you can read the name. In our example this would be avanet.local.

12. search queries

In this field you specify the path to the OU where the users and groups are located. If you want to search the whole structure, you can enter the following: DC=avanet,DC=local. In our example, if you only want to specify the users in the "Avanet > User" OU, the entry would look like this: OU=User,OU=Avanet,DC=avanet,DC=local

You can also check the composition of this path yourself on the Active Directory. To do this, open the Active Directory users and computers program and call the properties of your Organizational Unit (OU). Then search in the attributes for distinguishedName. In the following screenshot you can see how we did it in the "User" OU.

Test connection

To test the configuration you have created in the last 12 steps, click on the button Test connection. If the above values are filled in correctly in your form and Sophos Firewall can reach the AD, the following message should appear after a few seconds:

Shopping Cart
Scroll to Top