Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Anyone knows how to integrate XG with Active Directory without the STAS (just like the old method on UTM)

Hey Guys,

I've been pulling my hair since I decided to use the STAS for authentication, although the environment is pretty simple (1 DC) but the problem of "logging off" users suddenly from the firewall drove me crazy. I tried every suggestion here on the forum with no success.

So I was wondering is it possible to integrate the XG and AD without using the STAS (I only needed it for Web filtering) just like the old way on UTM? I really don't want to end up installing the UTM instead just to solve this problem

Thanks



This thread was automatically locked due to age.
  • Hi,

     

    do you mean just bound the AD to XG Firewall?

     

    Under CONFIGURE -> Authentication -> Servers -> Add -> Active Directory -> Done

     

    Do you mean that?

  • thanks, I didn't get any notification that someone has replied, so sorry I didn't reply soon

    I tried this alone (turned off the stas) but the SSO didn't work, that's why I posted the question

    if you remember in the UTM there was  an option to join the UTM to the domain for the SSO to work

    Adding the server only in the authentication is not enough for the SSO to work

    Has anyone tried it?

  • Hi,

     

    XG supports couple of ways to authenticate.

    NTLM is the only "on board" authentication, which does not require to do anything.

    The AD SSO like UTM is not on board, because it would not be possible to use a User Based Rule. In UTM you can only use the AD SSO for Web Filter.

    So basically you could use the STAS Client to get the Mapping done and work with the proxy.

    XG is a User based "layer 8" firewall. In that case, it is not possible to work with winbind like UTM.

    https://community.sophos.com/kb/en-us/123159

    This Client rolled out as a Client is also possible.

     

     

     

     

    ------------

    Furthermore: The main reason why STAS "logs out" user is a broken WMI Connection.

    So check the Collector to all clients connections:https://community.sophos.com/kb/en-us/123020Also deactivate the log off detection on XG.

    __________________________________________________________________________________________________________________

  • Aha, that's my point there is no way to do this without "installing something" either on workstations or on the DC.

    the WMI connection is not something that we can control all the time. it is random ...suddenly users are logged out, even if the WMI is working I have deactivated log off but still the problem persisted and having users call you every day for the same problem is really annoying for me and them, user based filtering is the only needed thing I don't want all the "layer 8" feature and installing client on the workstation is not that practical to be honest

    I always bragged about how Sophos has this advantage of not using any agent on the workstation making administrators' life easier, but now when I mention that we need to do tens of things just to get something simple as SSO i got negative feedback

  • Hi,

    You could use NTLM.

    Would work without installing anything.

    I do not recommend NTLM, instead fixing the WMI issue, but nevertheless this is possible.

    Also the SSO client is possible and you don´t have to do anything on the clients, because the logon script will do everything for you.

    To have a Layer 8 firewall is more than the UTM can do with AD SSO.

    __________________________________________________________________________________________________________________

  • Thank you very much for your help, but How to use NTLM? should I only configure the AD server in authentication only? what else should I do?