We'd love to hear about it! Click here to go to the product suggestion community
Hello Team, I need your help please. Is there any way to authenticate in Sophos AD Azure Users. I have a hybrid infrastructure, with users in AD Onpermise and in AD Azure. I was able to authenticate user in my AD Onpermise to access VPN Through Sophos but I do not know what to do regarding AD Azure Users. Thank you for your help.
There may be some help here: http://www.checkyourlogs.net/?p=52993
You may try to connect VPN using this KBA. When you do connect you can add a AD server that would integrate with Sophos XG using this KBA.
In reply to Aditya Patel:
Thank you all for your help.
I do not have AD VM.
I am accessing my Azure AD just using a browser.
So there is no way for me to add Server AD IP address.
In reply to Oo-T:
Can you sync your on premise AD with azure AD?
In reply to JuergenB:
Yes, I can Sync.
But until now, I can sync only one way, from my On Premise AD to Azure AD.
I already have Azure AD users created before creating my On premise AD.
You could sync the Azure Ad user to onpremise ad with the use of powershell scripting.
Then sophos would authenticate with on premise.
have a loook here
Thank you for your help.
I will try this then update.
We did it with enabling LDAPS on azure https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap .
After that you can just add it as a ldap auth server.
In reply to Jesse Bower:
same problem here. we would likt to sync/authenticate our users (for VPN authentication) via LDAPS directly with azure ad.
If I understand you right, it is no azure VM (Domaincontroller with AD) necessary?
So we need an activated azure plan like P1 and only the certification for ldaps, right?
thanks & regars
We can connect to Azure AD with LDAPs with Anonymous. Bind DN worked as well. If we Chose the authentication with credentials (it doesn‘t work).
Login in the User Portal with an AD User is not possible.
After a call with Sophos technician today they will check if LDAPs via WAN works.
Jess, may be you could give me some more Information how do you realized the Connection with ldaps. Do you use a VPN to the Azure Network.
In reply to Philipp Marx:
In reply to Kresimir Fotivec:
answer from sophos support:
"I got this discussed with my Senior team and I regret to inform but Authentication is not supported on WAN Zone as of now on the XG Firewall. But as a workaround, you can create an IPSec Tunnel and then use Authentication."
So you have to create a vnet in azure with azureadomain-service, vm windowsserver (join domain & install ad-tools), gateway & vpn.
We've managed to get this to work properly.
Trick is that you need to properly parse bind and base DNs. Bind DN must be spelled without base DN.
Bind DN user must be in format like this: CN=ldapbind,OU=AADDC users
Base DN must be in format like this: OU=contoso,OU=com
Hope this will solve your problem.
One side note; To get ldaps auth to work you need to change your password storage in azure to include "Store passwords using reversible encryption", after that setting is changed you have to update your password, and I have seen it takes ~20 minutes for your password change to be reflected in the azure ldap system. Also you need to have the IdP enabled on the services you would like to use it with, and i have not been able to get groups to work with it, might just by my setup. I'm not spending much time on it as we are moveing to AD in AWS over S2S VPN.
here is a overview of our ldap settings.