Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 6759 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active Directory authentication and Firewall rules

kalod kalod

Hello All,

I have a problem with the Firewall rules and Active Directory groups. I want to be able to allow Domain Users of a specific group to access specific services. For example, all Domain Users can access an external RDP service but not local users. Here is what I have done:


1. Joined Sophos host to the domain

2. Added a server which authenticates to the AD, all tested and working

3. Created a new group in Sophos groups to get all the Domain Users

4. Verified that the group can be seen from Sophos. I tested using a normal Domain User account

5. Created a new firewall rule to allow the above created group to access a RDP service externally

6. Create a firewall group to block all the rest from access RDP externally

7. Activated both rules

8. With this setup, the domain administrator failed to RDP externally

9. I disabled the rule number 3 and the domain administrator user was able to access the external RDP service.

That means that the rule number 2 was not correct because if it were, it would have allowed the domain administrator to access the remote RDP before it reached rule number 4.

Could you please let me know what I'm doing wrong? Unfortunately I can't find anything online that resolves my issue.

Thanks!



This thread was automatically locked due to age.
  • 0

    Hi kalod kalod,

    is there an administrator user that has been synced to the local db?

    if the user is not there then authentication will not happen.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0 in reply to Argo

    Hi Argo,

    Thank you for your reply.

    Do you mean that the domain user (administrator in this case) needs to be a local user to Sophos too (being able to authenticate to the web interface for example)?

    Thanks!

  • 0

    Firewall Rules only see IP addresses, because that is what is in every IP packet.  

    Web traffic has special protocol components to pass identity via NTLM, so Web Filtering is different.

    STAS can do what you want, because it ties an internal user to an IP address.

    Remote access VPN ties an external user to an IP address.

    For more details, check out the authentication posts in the WiKi.

  • 0 in reply to kalod kalod

    Hi Kalod and welcome to the UTM Community!

    As Douglas says, your initial approach can't work without adding STAS.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML