How to integrate Sophos Firewall with Active Directory
This article shows how to add an Active Directory server to Sophos Firewall. This guide requires a Sophos Firewall with the SFOS operating system.
Log on to your Sophos Firewall (SFOS) as an administrator and go to the
Servers page from the menu. Then click the blue
Add button to add a new server. On this page we will now go through the settings in 12 steps and make the necessary entries.
Also note the following graphic with the steps drawn so that you can follow the instructions more easily:
1. Server type
There are several authentication servers that you can add:
- LDAP Server
- Active Directory
- Radius Server
- TACACS+ Server
In this tutorial we explain the most used method:
2. Server name
You are completely free to choose the server name. We often use the hostname of the server.
3. Server IP/domain
Enter the IP address of the domain controller here.
The port depends on the connection security, which you have to set in point 8 below. For example, if you select SSL/TLS there, the port will automatically change to 636. We have tested the following combinations and they should work:
- Port: 389 (LDAP) → Connection security: Simple (Defined in step 8)
- Port: 636 (LDAPS) → Connection security: SSL / TSL (Defined in step 8)
5. NetBIOS domain
To find out the NetBIOS domain, use the Active Directory Users and Computers program. If you type “Active” on the AD from the Windows Start menu in the search window, the entry should already appear.
Now right-click on the domain name and select
Properties. In my example the domain name would be
avanet.local. In the upper screenshot you see the domain name framed in red. The NetBIOS domain in our case would be AVANET.
6. ADS user name
Specify a user who has the right to read the AD structure. In production environments we recommend to use a service user and not the domain administrator. For this documentation we have only used the Administrator for test purposes, because he surely has enough permissions.
Add here the password for the ADS user specified under step 6.
8. Connection security
As described in step 4, the connection security is related to the port. By default, the
Simple option works in most cases. If your domain controller is set differently, you will know what to do here. The following options are possible:
9. Display name attribute
This item allows you to specify how the usernames should be displayed on your XG Firewall. You can control this via the so-called “Display name attribute”. The following attributes are available:
To find out what formatting is hidden behind these terms, you can use the Active Directory Users and Computers program again. To be able to see all the attributes, you must have activated the view for the Advanced Features.
In the picture gallery below you can take a closer look at the attributes listed above using our example.
10. Email address attribute
By default, and in most cases, the
On the AD, of course, the email addresses of the users must also be stored in their profile. To check this, switch back to the program Active Directory Users and Computers and call the properties of a user. There should now appear an entry in the attribute list under
11. Domain name
You can also find out the name of your domain using the Active Directory Users and Computers program. The screenshot below shows where you can see the name. In our example this would be avanet.local.
12. Search queries
In this field you enter the path to the OU in which the users and groups are located. If you want to search the whole structure, you can enter the following:
DC=avanet,DC=local. If in our example you only want to specify the users in the OU “Avanet > User”, the entry would look like this:
You can also look up the composition of this path yourself on the Active Directory. Open the Active Directory user and computer program again and call the properties of your Organizational Unit (OU). Search for it in the attributes for
distinguishedName. In the following screenshot you can see how we did this in the OU “User”.
To test your configuration, which you created with the last 12 steps, click on the button
Test connection. If the above values in your form have been filled in correctly and Sophos Firewall can reach the AD, the following message should appear after a few seconds: