The Sophos User portal can be used to allow your UTM clients access to functions such as Email quarantine, whitelists, and Remote access VPN setups.
In order to control access to the user portal either local or back end authentication can be configured.
This article will deal with User Portal access using Active Directory or LDAP back end authentication servers.
Applies to the following Sophos product(s) and version(s) Sophos UTM Software Appliance
On the Astaro:
If you pick a user with administrative rights, you will be able to configure either or both LDAP and AD. You will need the full, exact Distinguished Name (DN) for the UTM to be able to work with AD or LDAP services. To determine the notation needed open a Command Prompt on the server running the AD services. In my case, I have a separate login for me when I want to be an administrator, bob2, so I ran the following command:
dsquery user –name b*
Among the responses was the one I was looking for:
Because I want to be able to use pre-existing AD groups to fine-tune the HTTP Proxy and to limit use of the Portal to select users, I’ll set the Base DN for my AD as:
It is likely that you have a hostname for the IP of the External interface of the Astaro; for example, mail.ourdomain.com. There’s a way for that to point at the internal interface of the Astaro for users inside the firewall, normally including anyone who has VPN’d in via Sophos Remote Access.
This assumes that internal users are set up to check an internal DNS prior to looking for an external one on the internet. On your internal Domain Controller, make sure that in your internal DNS there is an entry in ‘Forward Lookup Zones’ in the ourdomain.com (substitute your domain name) folder that points mail (your sub domain) at the IP of the internal interface on your UTM.
It is likely that you already have created a Definition in Networks for this server. If not, go to Definitions & Users > Definitions > Networks, and click on 'New Network Definition':
Don’t forget to hit ‘Save’.
Select the Definitions & Users > Authentication Services > Global Settings tab, check the box for ‘Create users automatically’ and hit ‘Apply’.
Select the Definitions & Users > Authentication Services > Servers tab and click on ‘New Authentication Server'.
For ‘Backend’, select 'Active Directory'. It is likely that you will want to leave the ‘SSL’ box unchecked and the ‘Port’ unchanged at 389.
The ‘Bind DN’ is the string we captured in the first step above (in our example):
Note: Do NOT hit the ‘Test Server Settings’ button yet! You must hit ‘Apply’ after you make any changes to the above and before you touch ‘Test Server Settings’ or your changes will be lost. First, fill in the ‘Base DN’ (in our example):
Hit ‘Apply’, then ‘Test Server Settings’.
For ‘Backend’, select ‘LDAP’ tab. For ‘Server’, click on the file folder and drag ‘AD Server’ into the box. It is likely that you will want to leave the ‘SSL’ box unchecked and the ‘Port’ unchanged at 389. Leave the ‘User Attribute’ set on ‘CN’ (Common Name). The ‘Bind DN’ is the string we captured in the first step above (in our example):
The ‘Base DN’ is (in our example):
Hit ‘Apply’. You should get a message that the LDAP settings were saved successfully.
Select the Definitions & Users > Users & Groups > Groups tab, hit ‘New group’. Name the group "Backend users" (for example).
Select ‘Group type’ ‘Backend membership’. For the ‘Backend’, select ‘LDAP’ or ‘Active Directory’ as appropriate.
If you want to limit the mail users who can access the Sophos User Portal, check ‘Limit to backend group(s) membership’ and indicate which group(s) should have a personal whitelist and access to it.
From Management > User Portal > Global, click on the folder beside ‘Allowed networks’ then drag ‘Any’ into the box. You may want to restrict this more, but it’s likely you will have people both inside and outside your firewall who will want to access the User Portal.
Select whether you want to allow all users or only a select group or individuals, and hit ‘Apply’.
On the ‘Advanced’ tab in the 'Network Settings' area put mail.ourdomain.com (your subdomain.domain), leave 443 as the standard ‘HTTPS port’1 and hit ‘Apply’.
Your AD/LDAP users can now use the portal at https://mail.ourdomain.com/.
1Beginning with V7, Sophos moved WebAdmin access from port 443 to 4444 because many sites DNAT https traffic to an internal server. Our standard approach has been to create an additional IP on the External interface when we wanted to do things like offering Outlook Web Access via https. If it’s impractical for you to do this, then you’ll need to change the port. Example change to 1443 and: https://mail.ourdomain.com:1443/.
This article was submitted by Robert H. Alfson (Bob), MediaSoft Inc.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.