Add an Active Directory Server on Sophos XGS

Hi TobLai

Thank you for reaching out to the community, please verify you have check mark "User portal authentication methods"  AD under CONFIGURE-->Authentication-->Services as below, you can drag and keep AD on TOP

Thanks and Regards

Yes, it is marked as Set authentication methods same as firewall. In the login portal, do I have to type in the domain name at the front 

Domain\TobLai or something?

Just on the other question:

If I add a new user in the AD, does it mean I have to import on the firewall all the time in order to use the VPN? 

Isn't it setting the Primary authentication method to my_AD_Server is suppose to be able to authenticate with my AD already?

 Hi TobLai

No, new added user on AD user group not to be imported all the time.When you add a new user on existing group on AD, you don't have to import the user as user "group" is already imported on Sophos XG, user from same group will get syn on Sophos firewall and you can check by login the user on user portal or Captive Portal 

Thanks and Regards

When you say the group will sync, does it mean when I look at the users in the list, I will see all the AD users that is in the group that I imported?

If I am getting a lot of "Cannot establish NTLM authentication channel with Domain", how should I fix it?

Hi TobLai 

As soon as you log in user/s, the user will start populating on the user list once the user group is imported on Sophos XG.

To check login user with Captive Portal Page 

https://<Sophos IP>:8090

Regards

Hi  TobLai 

Please refer the below link to troubleshoot the issue with STAS : 

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125318/sophos-xg-firewall-best-practice-for-stas 

Thanks and Regards 

Thanks Bharat J, good news, I managed to get AD user to login to portal.

The problem now I face is that is that the AD user is not able to ping the server when I log in to VPN. While the user created in the firewall can access and connect to server and ping any computers on the network.

Is there anything I am missing?

Hi TobLai 

Please make sure you have LAN-VPN and VPN-LAN firewall rules and keep the same firewall rules on TOP to troubleshoot the issue if rules are already present. 

Please go to System -->Administration --->Device access and enable Ping on VPN and LAN Zone. Also, make sure you have added AD Server or network you want to allow under Permitted network resources (IPv4) as per the snapshot : 

Thanks and Regards

I only have VPN to LAN firewall rules. Is that sufficient?

Hey TobLai,

If you only want the VPN users to access the local LAN resources then it's fine. But if you want the LAN users or client machine to access resources over the VPN then you may want to create a LAN to VPN rule !! 

Hey TobLai,

If you only want the VPN users to access the local LAN resources then it's fine. But if you want the LAN users or client machine to access resources over the VPN then you may want to create a LAN to VPN rule !!