Change Sophos Heartbeat-Userdomain?

Hi there,

we've client with Sophos Intercept X installed and figuring the Heartbeat-Feature within our Sophos XG 135 out.

My "problem" is, that our Windows Clients are recognized as "username@domain.tld", if i view the "Current activities" in the Sophos XG WebGUI.
We sync our users from Microsoft AD to the Sophos - with our internal domain name "username@intern.domain.local"; this Users has also attached a MFA and used to connect by SSLVPN.

Because of the heartbeat, the Sophos XG created ~120 new Sophos useraccounts with @domain.tld - i would like to merge or delete them, so that the reports and so on are correct.

Is it possible to change the Domainname, that Sophos Intercept X is sending to Sophos Central? If i could change that to @intern.domain.local, the existing users would be matched.

Thanks in advance,


Added tags
[edited by: Gladys at 3:27 PM (GMT -8) on 4 Mar 2024]
  • Likely this is not possible. 
    Because your Endpoint is extracting your tld top level domain. And therefore this is send to the firewall for authentication. 


  • Hi,

    okay, so my only solution would be: Change intern.domain.local to domain.tld in my Sophos AD-Authentication Servers and manually change all MFAs from the old username@intern.domain.local to username@domain.tld (or: let all users create a new MFA with their new user)?

  • Hi there,

    so, it's not possible to change the userdomain, which is reported back by Sophos Heartbeat into my XG.

    Actual, there are two Users created for each unique employee: One "username" by Sophos Heartbeat (see pictures), and one user "username@intern.domain.tld" by our AD Sync. The last one is also used for SSL VPN.

    My goal is to merge these users - so that i have a unique user per employee within the XG.

    The current activities look like these:

    I've setup two AD Authentication Servers for DC1 and DC2 with the same AD-Domainname:

    My active remote users looks the following:

    As LuCar Toni said, i can't change the Userdomain of the Sophos Heartbeat-Users. So i would have to change my AD-Sync and maybe have to create new MFA for our AD-Users; but the users from Sophos Heartbeat don't have a user domain within their username.

    How i could change my AD-Sync, so that the synced user don't carry "intern.domain.tld" within their username?

    Thanks in advance,


  • You could change it around: You could add the .tld domain to the other AD server, then the old users with the local domain would be matched with the tld user.

    That could mean, the certificates of VPN etc. could be invalid.