Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Secure Active Directory authentication with public CA and no AD CS

Hi All,

For secure AD authentication it seems Sophos advice is to install AD CS and create an AD CA on every AD server you use.

Link: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/128222/sophos-firewall-how-to-integrate-active-directory-with-ssl-tls-or-starttls-connection-security

Sophos support confirmed this is the way to go. For me this seems like overkill. IBM even states on there website not to do this; "Do not install the Certificate Services role on the Active Directory server. Some Active Directory Domain configurations are not suited to accept an installed Certificate Services role. For example, when there are multiple Active Directory servers in a domain." Link: https://www.ibm.com/docs/en/tsm/7.1.1?topic=passwords-configuring-windows-active-directory-tlsssl 

Just to check with the community, why not use a public CA certificate? Then there is no need to install AD CS on every AD.

Link: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority 

Did anybody already tried this? And please share your thoughts on this.



This thread was automatically locked due to age.
Parents
  • So I tested the suggested solution as mentioned in the Microsoft link (enable-ldap-over-ssl-3rd-certification-authority). I bought an SSL certificate, placed it in the Personal Store of the Computer on my AD server. Tested it with ldp.exe and that works. Next step was test SSL/TLS authentication in de Sophos XG (port 636) and that also works.

    So there is no need to install AD CS on every AD you use for authentication within the Sophos XG. Just buy a public SSL cert and place it on your AD server.

  • So did you create a CSR on the DC doing LDAP to the XG, then generate an IIS SSL cert with the third party, import it to your DC (as mentioned)? Was going to give this a try and figured i'd just follow the usual steps i follow for SSL certs for securing IIS/RDGateway, then export the cert and upload into my 2nd DC that is also syncing LDAP to the XG firewall. 

  • You can create the CSR on any machine. Export the certificate with private key and import it on the DC. That's all. Keep in mind that the fqdn of the AD server must be available in the certificate; 

    • The Active Directory fully qualified domain name of the domain controller (for example, dc01.contoso.com) must appear in one of the following places:

      • The Common Name (CN) in the Subject field.
      • DNS entry in the Subject Alternative Name extension.
Reply
  • You can create the CSR on any machine. Export the certificate with private key and import it on the DC. That's all. Keep in mind that the fqdn of the AD server must be available in the certificate; 

    • The Active Directory fully qualified domain name of the domain controller (for example, dc01.contoso.com) must appear in one of the following places:

      • The Common Name (CN) in the Subject field.
      • DNS entry in the Subject Alternative Name extension.
Children
No Data