Anyone knows how to integrate XG with Active Directory without the STAS (just like the old method on UTM)

Hi,

do you mean just bound the AD to XG Firewall?

Under CONFIGURE -> Authentication -> Servers -> Add -> Active Directory -> Done

Do you mean that?

thanks, I didn't get any notification that someone has replied, so sorry I didn't reply soon

I tried this alone (turned off the stas) but the SSO didn't work, that's why I posted the question

if you remember in the UTM there was  an option to join the UTM to the domain for the SSO to work

Adding the server only in the authentication is not enough for the SSO to work

Has anyone tried it?

Anyone?

Hi,

XG supports couple of ways to authenticate.

NTLM is the only "on board" authentication, which does not require to do anything.

The AD SSO like UTM is not on board, because it would not be possible to use a User Based Rule. In UTM you can only use the AD SSO for Web Filter.

So basically you could use the STAS Client to get the Mapping done and work with the proxy.

XG is a User based "layer 8" firewall. In that case, it is not possible to work with winbind like UTM.

https://community.sophos.com/kb/en-us/123159

This Client rolled out as a Client is also possible.

------------

Furthermore: The main reason why STAS "logs out" user is a broken WMI Connection.

So check the Collector to all clients connections:https://community.sophos.com/kb/en-us/123020Also deactivate the log off detection on XG.

Aha, that's my point there is no way to do this without "installing something" either on workstations or on the DC.

the WMI connection is not something that we can control all the time. it is random ...suddenly users are logged out, even if the WMI is working I have deactivated log off but still the problem persisted and having users call you every day for the same problem is really annoying for me and them, user based filtering is the only needed thing I don't want all the "layer 8" feature and installing client on the workstation is not that practical to be honest

I always bragged about how Sophos has this advantage of not using any agent on the workstation making administrators' life easier, but now when I mention that we need to do tens of things just to get something simple as SSO i got negative feedback

Hi,

You could use NTLM.

Would work without installing anything.

I do not recommend NTLM, instead fixing the WMI issue, but nevertheless this is possible.

Also the SSO client is possible and you don´t have to do anything on the clients, because the logon script will do everything for you.

To have a Layer 8 firewall is more than the UTM can do with AD SSO.

Hi,

You could use NTLM.

Would work without installing anything.

I do not recommend NTLM, instead fixing the WMI issue, but nevertheless this is possible.

Also the SSO client is possible and you don´t have to do anything on the clients, because the logon script will do everything for you.

To have a Layer 8 firewall is more than the UTM can do with AD SSO.

Thank you very much for your help, but How to use NTLM? should I only configure the AD server in authentication only? what else should I do?