Skip to content
Avanet

Add Active Directory to Sophos Firewall (SFOS)

Sophos Firewall

This article explains how to add an Active Directory server to Sophos Firewall. It assumes a Sophos Firewall running SFOS.

Sophos now also provides a video that illustrates the process well.

Sophos Firewall v21 - Erneuerungen im Überblick

Preparation

Log in to your Sophos Firewall (SFOS) as an administrator and go to Authentication > Servers in the menu. Then click the blue Add button to add a new server. On this page, we will go through the settings in 12 steps and make the necessary entries.

The following graphic marks the individual steps so that you can follow the guide more easily:

Sophos Authentication Server Configuration

1. Server type

There are several authentication servers that you can add:

  • LDAP Server
  • Active Directory
  • Radius Server
  • TACACS+ Server
  • eDirectory

In this guide we explain the most used method: Active Directory.

2. Server name

You are completely free to choose the server name. We often use the hostname of the server here.

3. Server IP/domain

Enter the IP address of the domain controller here.

4. Port

The port depends on the connection security setting that you define in step 8. For example, if you select SSL/TLS there, the port automatically changes to 636. We tested the following combinations and they work:

  • Port: 389 (LDAP) → connection security: Simple (defined in step 8)
  • Port: 636 (LDAPS) → connection security: SSL / TLS (defined in step 8)

5. NetBIOS domain

To find the NetBIOS domain, use Active Directory Users and Computers. If you type “Active” into the Windows Start menu search on the AD server, the entry should appear.

Find out NetBIOS name on Active Directory

Now right-click the domain name and select Properties. In my example, the domain name would be avanet.local. In the screenshot above you can see the domain name framed in red. So the NetBIOS domain in our case would be AVANET.

6. ADS username

Specify a user who has permission to read the AD structure. In production environments, we recommend using a service account rather than the domain administrator. For this documentation, we used the administrator for testing purposes only, because this account has sufficient permissions.

7. Password

Add the password for the ADS user specified in point 6.

8. Connection security

As described in point 4, the connection security is related to the port. By default, the Simple option works here in most cases. If your domain controller is set differently, you surely know what to do here yourself. The following options are possible:

  • Simple
  • SSL/TLS
  • STARTTLS

9. Show name attribute

Under this item you can determine how the user names should be displayed on your XG Firewall. You can control this via the so-called “Display-Name attribute”. The following attributes are available to you:

  • displayName
  • sAMAccountName
  • userPrincipalName
  • name

To see which formats these terms represent, use Active Directory Users and Computers again. To view all attributes, you must enable the Advanced Features view.

Activate view for the advanced features

In the image gallery below you can take a closer look at the attributes listed above using our example.

Sophos Firewall - authentication server Active Directory attribute sAMAccountName
Sophos Firewall - authentication server Active Directory attribute displayName
Sophos Firewall - authentication server active directory attribute userPrincipalName
Sophos Firewall - authentication server active directory attribute name

10. Email address attribute

By default, and in most cases, the attribute mail is used here. This field is optional and only relevant if your XG Firewall is also used as an email server via “Mail Transfer Agent” (MTA). For that, the XG should already know the users’ email addresses, which is very helpful for the “Email Quarantine Report”, for example.

On the AD server, the users’ email addresses must of course be stored in their profiles. To check this, switch back to Active Directory Users and Computers and open a user’s properties. An entry should now appear in the attribute list under mail.

Sophos Firewall - authentication server active directory attribute mail

11. Domain name

You can also find out the name of your domain using the Active Directory Users and Computers program. In the screenshot below you can see where you can read the name. In our example, this would be avanet.local.

Display domain name on Active Directory

12. Search queries

In this field you specify the path to the OU where the users and groups are located. If you want to search the whole structure, you can enter: DC=avanet,DC=local. In our example, if you want to specify only the users in the “Avanet > User” OU, the entry would look like this: OU=User,OU=Avanet,DC=avanet,DC=local

You can also look up the composition of this path yourself on the Active Directory. To do this, open the Active Directory Users and Computers program again and access the properties of your Organizational Unit (OU). After that, search in the attributes for distinguishedName. In the following screenshot you can see how we did it in the “User” OU.

Display the Active Directory distinguishedName attribute in search queries
Display the Active Directory distinguishedName attribute in search queries

Test connection

To test the configuration you have created with the last 12 steps, click the Test connection button. If the values above are filled in correctly and Sophos Firewall can reach the AD, the following message should appear after a few seconds:

Success message that all information has been filled in correctly and Sophos Firewall was able to reach the AD