Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
This knowledge base article provides a number of frequently asked questions regarding the Sophos Central Admin AD Sync Utility.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Central AdminSophos Cloud AD Sync Utility
Active Directory synchronization allows administrators to implement a service that maps users and groups from Active Directory to Sophos Central.
Sophos Central AD Sync utility will import the following objects from the Active Directory:
Note: Only groups with more than one member will be created
This is not a currently supported scenario to use multiple installations of our Active Directory utility within a single Central Dashboard. The current implementation of AD sync isnt multi domain aware, as it calculates sync deltas at the tenant scope/level.
A workaround for customers would be to segregate domains into separate Enterprise Dashboard tenants (subestates).
The AD Sync Utility tool can be downloaded from the following:
Note: Subsequent upgrades are done automatically within the utility itself. Each time a sync is triggered, the utility will check if there is a newer version.
A step-by-step review of the process and interface can be reviewed in Sophos Central: How to set up Active Directory Sync.
The utility can be installed on Windows computers only at this time. It is advisable to install it on a server operating system especially if you have configured the utility to sync on a schedule.
AD Sync logs in three locations. Information about these locations can be found in Active Directory Sync Utility logging locations.
Note: If the customer needs to raise a case with support, please provide all logging information possible.
Please see Sophos AD Sync Utility fails to create a group or fails to reflect the correct number of users.
Users are filtered with the LDAP query:
The group LDAP filter for groups is simply:
These filters can be extended on a per domain basis. For more information about Filtering and LDAP queries, please see Sophos Central Admin AD Sync Utility filters.
The AD Sync tool uses the Display name attribute when importing user information
The AD Sync tool uses the attribute proxyAddresses for the alias.
The AD Sync tool matches AD users by Domain Login (Domain/user) and/or by email address.
Note: You can see which accounts will be matched prior to committing to a sync by choosing the Preview and Sync... option. If there is a match, you will see this listed under the Users to Modify tab. If there is no match, you will see the user under the Users to Add tab. You can choose to reject changes if you do not want to commit to the modifications.
Sophos AD Sync utility imports login names in the format of [NetBIOSDomainName]\[User]. A Mac, although joined to a domain reports the username as [MacComputerName]\[User]. As a result, the Mac computer does not associate with the existing Sophos Central AD Synced user and a new user is created based on the [MacComputerName]\[User] login name.
To map the Mac to the Central user the customer can delete the auto-generated Central user ([MacComputerName]\[User]) and then map the login, for example, [MacComputerName]\[User] to the AD Sync created user.
See Sophos Central for OS X - How to enable domain overrides for reported users for information on how to override this information locally on a client.
The AD Sync utility obtains a number of attributes that are common to a number of directory services such as OpenLDAP but only Active Directory is supported at this time.
We recommend that you use a secure LDAP connection, encrypted via SSL, and leave the Use LDAP over an SSL connection (recommended) checkbox selected. If, however, your LDAP environment doesn’t support SSL, using an insecure connection is not an option.
As of March 2020 Microsoft plans to release a security update on Windows Update that by default enables LDAP channel binding and LDAP signing hardening changes for Active Directory. Usually, the port number is 636 for SSL connections and insecure connections on port 389 would not function with the MS security update.
To sync an entire AD forest, it is necessary to provide Active Directory credentials for a user with permissions across the entire forest.
In the root of the directory tree of the host server, an attribute called rootDomainNamingContext which contains the DN of the root of this Active Directory forest.
In the root of the directory tree of the host server, an attribute called defaultNamingContext which contains the DN of this host server.
A collection of entries under CN=Partitions, CN=Configuration, <rootDomainNamingContext>, with at least one or more entries containing all of the following:
For each of these entries, we include the value of its nCName attribute (it's a DN) in areas to search (but only if that DN is not an ancestor DN of the host server specified in the AD Sync setup wizard).
This error can be encountered if the Sophos Account used to link your ADsync utility does not have Admin rights (eg. help desk or read-only roles).
The Central account you use to connect our ADsync utility with must not have MFA enabled for it. If all of your accounts have MFA enabled in Central Administrator - configure one of them, or a new account to have this disabled. Also, see KBA 128142
If you have a custom filter defined in AD Sync tool, and that OU is removed from Active Directory afterward, you will see the following errors:
Failed active directory synchronization. Reason: SophosCloudADSyncLib.DisplayableException: Error making a request over LDAP. Please review the connection settings you specified. The LDAP server returned the following error: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
System.DirectoryServices.Protocols.DirectoryOperationException: The object does not exist.
The error does not reference the name of the removed OU. To resolve this error, you will need to review any filters you have set up under the AD Filters tab and Define Filters button. Remove any filters referencing objects removed from your Active Directory.
This error may be seen at Preview & Sync step, when the AD Sync tool is run manually.
Microsoft AD may contain invalid characters, and while AD Sync Tool will Preview the data that needs to be synced- it will fail with above error.
To bypass this error, use Sync on Schedule option - automatic (within next 2-3 minutes), which will bypass the Preview step and sync will be successful.
Any user that is configured with a role within Central Admin for example Read-only, Help Desk, Admin and Super Admin and is also an AD sync account, will not be removed automatically by the AD Sync utility, regardless of its state in the Active Directory. This also applies to primary email address changes for users that have a Central Role.
In order to remove an AD Sync user with a Role assigned (after it has been removed in Active Directory), or change the associated email address - you will need to first demote that account (in Central Admin) to a regular 'user', which will remove the role and ability for them to login. After the next Central AD sync scan, that account will be removed (or email updated if changed, which you can then repromote to the role as needed).
This can be seen if there is a back end issue removing a login that was associated with a user who was removed or disabled in Active Directory. The AD sync will continue and finish even if this error is seen.
There is nothing that can be done to remove this particular error from showing until this is resolved with Sophos Central. In the interim of this being resolved, these errors can be ignored.
This behavior has be seen if there are duplicate ad sync users. Please follow the instructions provided below:
Currently, proxy details cannot be configured with the AD sync utility. The service runs using a local service account which by default will not have access to authenticate through any proxies. We commonly see the following error when dealing with a Proxy connection issue:
If you need to create an account that does have access, this account that will be used to log in should have the following rights (minimum for AD sync utility portion)
C:\ProgramData\Sophos\Sophos Cloud AD Sync
Note: Every time you change the service account used for the Sophos AD sync service - the Active Directory Sync tool will need to be reconfigured.
There is also an additional AD sync Proxy workaround described in the following community post
On the local server or system you installed the AD sync utility on, go to the Programs and Features and choose to remove the Sophos Central AD Sync Utility.
While it is not possible to convert from one to the other, it is possible to switch if you first delete all of the existing AD objects (users, groups, folders) prior to switching AD Sync tools.
Other important notes about difference when using Azure AD:
The Sophos Central help page can be found here.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.