Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 22604 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD synchronization time

Dino Ingram

We have Sophos Proxy Appliances in our domains.  We use Active Directory group membership to grant / revoke site access through the Sophos proxy server.  The synchronization time can be an hour or more before the group membership changes take effect.  What can be done to SHORTEN the synchronization time between AD and SOPHOS.  The long sync time is NOT related to high Sophos utilization.  The problem is consistent across our domain and has NEVER been short.

Thanks 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Dino,

    You could run the sync manually configuration / system / active directory / synchronize now.

    This would re-cache the user list to the appliance, by default the process runs every hour and should not need to be changed.   If you wanted to revoke a bunch of users and manually run the sync the appliance would not present their credentials to AD once the current one expires . (every 4m59s)

    The appliance simply requests authentication from AD, if the accounts are disabled or removed ad will refuse the request.

  • 0 in reply to Red_Warrior

    That is helpful. Thanks for the quick response.  Is there a way to decrease the 1-hour setting?

  • 0 in reply to Dino Ingram

    In short, no it can't be easily changed.   I guess the better question is.. What exactly is the issue you're having, and why do you feel syncing faster would resolve it?

  • 0 in reply to Red_Warrior

    While it is good that we can manually sync changes, it would be nice to shorten the default.  Quite often we have users requesting access or needing access restricted on short notice. We can do this within AD. However if the sync interval was shortened we wouldn't have to go to the extra steps of getting in to Sophos to fire it off manually.  While in and of itself, it is a minor issue, it is still extra steps that need to be remembered.  Having the sync be an option that can be customized to fit the environment would be a thoughtful update and an advantage.

     

    Thanks for the info,

     

    Dino

  • 0 in reply to Dino Ingram

    So the sync would be more for if you added a new user or changed a group.  From what you have said what I would do is ensure your policy is set up like so.

    https://community.sophos.com/kb/en-us/126599  (ensure the rest of the requirements are met) 

    ensure your sso auth policy is like this, and you meet the 7 requiremnts at the top.

    https://community.sophos.com/kb/en-us/126692 (other considerations depending on your deployment mode) 

     

    Your Auth policy:

    Configuring default authentication policy

    In Configuration > System > Authentication > Default Settings, configure the settings as follows:

    Authenticate using: select Single Sign On
    Perform SSO for Mac is optional
    Authenticate all requests is not recommended
    Captive Portal: disabled
    On authentication failure: select Block access

    this forces the appliance only to proxy requests for users with both have an IP and authenticated. 

    the next step is to create an additional policy .  You would typically already have a bunch for your users based on group or ip ranges..   In this case add a new one called tmp-ban, set everything to block and move it to the top of the priority list

    then in AD move your user to the tmp-ban group.. once that is replicated across AD when the appliance requests SSO validation on the user, ad would report the user is the tmp-ban group .. as long as that group is above the normal group of the user they will be blocked.

     

     

     

     

    another way would be to set up an ip range and do the same sort of policy.

    you could also use a connection profile on ip or even user agent string

     

    the applaince uses the sync tool more for creating policy, reporting groups and similar than authentication. so if you were to set it to every 10 mins .. you would be able to create a new policy for that new group sooner. 

     

    that should get you going on making a more robust auth profile and policy to police group changes / re-auths

Reply
  • 0 in reply to Dino Ingram

    So the sync would be more for if you added a new user or changed a group.  From what you have said what I would do is ensure your policy is set up like so.

    https://community.sophos.com/kb/en-us/126599  (ensure the rest of the requirements are met) 

    ensure your sso auth policy is like this, and you meet the 7 requiremnts at the top.

    https://community.sophos.com/kb/en-us/126692 (other considerations depending on your deployment mode) 

     

    Your Auth policy:

    Configuring default authentication policy

    In Configuration > System > Authentication > Default Settings, configure the settings as follows:

    Authenticate using: select Single Sign On
    Perform SSO for Mac is optional
    Authenticate all requests is not recommended
    Captive Portal: disabled
    On authentication failure: select Block access

    this forces the appliance only to proxy requests for users with both have an IP and authenticated. 

    the next step is to create an additional policy .  You would typically already have a bunch for your users based on group or ip ranges..   In this case add a new one called tmp-ban, set everything to block and move it to the top of the priority list

    then in AD move your user to the tmp-ban group.. once that is replicated across AD when the appliance requests SSO validation on the user, ad would report the user is the tmp-ban group .. as long as that group is above the normal group of the user they will be blocked.

     

     

     

     

    another way would be to set up an ip range and do the same sort of policy.

    you could also use a connection profile on ip or even user agent string

     

    the applaince uses the sync tool more for creating policy, reporting groups and similar than authentication. so if you were to set it to every 10 mins .. you would be able to create a new policy for that new group sooner. 

     

    that should get you going on making a more robust auth profile and policy to police group changes / re-auths

Children
No Data
Unfiltered HTML