This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN users authenticated by AD Security Group

Hi all,

 

I have an instance of Sophos UTM running in AWS. I have set up a remote authentication server with our AD and all is working fine. There is a security group in AD that is intended for SSL VPN users.

I have created a backend membership group on the UTM and limited it to the SSL VPN group in AD.

 

I have set up and tested SSLVPN with the default "Active Directory Users" group and it is fine. Users can log into the User Portal and access the Remote Access menu to download the installer and can connect and access internal resources. The issue begins when I change the group on the SSL VPN config to the SSL VPN Users group as per screenshot above.

When I do this, the Remote Access options disappears from their User Portal and they can no longer connect.

 

 

It looks like the UTM can't see the membership of that group, but I added the group to Prefetch list and ran a prefetch and it finds the group members and creates them on the UTM as per the log below.

 

2017:04:21-16:31:48 utm user_prefetch[12013]: ------------------------------------------------------------
2017:04:21-16:31:48 utm user_prefetch[12013]: Starting synchronization for adirectory
2017:04:21-16:31:48 utm user_prefetch[12013]: ------------------------------------------------------------
2017:04:21-16:31:48 utm user_prefetch[12013]: ------------------------------------------------------------
2017:04:21-16:31:48 utm user_prefetch[12013]: Searching for users
2017:04:21-16:31:48 utm user_prefetch[12013]: ------------------------------------------------------------
2017:04:21-16:31:48 utm user_prefetch[12013]: Connecting to ldap server
2017:04:21-16:31:48 utm user_prefetch[12013]: ldap server: ldap://192.168.0.X:389
2017:04:21-16:31:48 utm user_prefetch[12013]: Context 'CN=Sophos UTM SSLVPN Users,OU=Security Groups,OU=MyBusiness,DC=XXX,DC=local' is a group. Adding group members:
2017:04:21-16:31:48 utm user_prefetch[12013]: CN=test1,OU=Test Accounts,OU=Users,OU=MyBusiness,DC=XXX,DC=local
2017:04:21-16:31:48 utm user_prefetch[12013]: ------------------------------------------------------------
2017:04:21-16:31:48 utm user_prefetch[12013]: Performing ldap search:
2017:04:21-16:31:48 utm user_prefetch[12013]: searching 'CN=test1,OU=Test Accounts,OU=Users,OU=MyBusiness,DC=XXX,DC=local'
2017:04:21-16:31:48 utm user_prefetch[12013]: Ldap search returned 1 users
2017:04:21-16:31:48 utm user_prefetch[12013]: Search time: 0m 0s
2017:04:21-16:31:48 utm user_prefetch[12013]: ------------------------------------------------------------
2017:04:21-16:31:48 utm user_prefetch[12013]: Adding/updating users
2017:04:21-16:31:48 utm user_prefetch[12013]: ------------------------------------------------------------
2017:04:21-16:31:48 utm user_prefetch[12013]: # 1 Updating user test1
2017:04:21-16:31:48 utm user_prefetch[12013]: 1 user objects were found:
2017:04:21-16:31:48 utm user_prefetch[12013]: 0 users were created
2017:04:21-16:31:48 utm user_prefetch[12013]: 1 user was updated
2017:04:21-16:31:48 utm user_prefetch[12013]: 0 users are authenticated locally.
2017:04:21-16:31:48 utm user_prefetch[12013]: Overall time: 0m 0s
 
 
Any ideas? Am I doing something wrong here or is this a bug?
 


This thread was automatically locked due to age.
  • Hey Cameron.

    Your setup seems sound. Have you enabled "Active Directory Group Membership Synchronization" on Definitions and Users / Authentication Services / Advanced?

    Regards - Giovani

  • Hi Giovani,

     

    This option is grayed out, I believe it is because I have not enabled AD SSO but I have configured prefetch directory users as below.

     

  • I did not realize that you could do AD prefetch without enabling AD SSO, because I thought it was merely a performance optimization for AD SSO.   Based on your results, it sounds like the solution is to turn it on.   I use AD SSO with AD groups, and LDAP SSO to AD with LDAP Groups, without prefetch, and everything works well, except for the bug in 9.408 which makes the Authentication Server test feature unusable.

    My inference from your results is that prefetch is creating local users which duplicate your AD, not backend AD users.   These local users are linked to the local group called Active Directory Users. But the prefetched AD group only points to backend AD users, which cannot be found because you have AD SSO disabled.

    I would try configuring everything without prefetch, verify that it works, then turn prefetch back on.   Or call support.  I have never used an AWS environment, and there is always the possibility that you have found a bug.

  • If you have sufficient reason to not enable AD SSO:

    You can probably solved the group membership problem if you create a local group called "SSL VPN LOCAL", then put your prefetched users into it.

    You should also test the UTM behavior when your prefetched user is (a) locked out, (b) disabled, or (c) deleted from Active Directory.   I wonder if some users will remain enabled in UTM even after they are disabled or deleted in AD.  This is not something that I know, just something that I think you need to know, and therefore you need to test.    (Using AD SSO will definitely avoid any risks of this type, and it will keep the group maintenance in AD, where I prefer to do user management.)

    If you can convince support that you have a bug, it will take time to work up the escalation chain, and even longer to wait for the bug to be fixed in a future release.   So you need a workaround in the short term, and this or the previous comment should get you where you want right away.

  • Cameron, please show us the Edit of the "SSL VPN Users" Users Group object.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA