This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD SSO for Web Surfing

Bepo over 1 year ago

Hello,

we use a XGS116w in one of our branch offices running on firmware: 19.0.1 with SD-WAN.

We deployed a firewall rule through Sophos Central for Web Surfing (LAN-Zone to WAN-Zone) with different Web Policies.

All is working fine.

Now we want to identify which user produces witch web traffic.

In Sophos UTM we defined for Web Surfing AD SSO with an AD Authentication Server.

In Sophos Firewall OS (SFOS) I added an AD authentication server and used the Import Group Wizard.

After that I changed the Authentication Servers Ordering in Authentication -> Services

Then i tried to logon the user portal with AD user. This was also successful.

If i then activate "Match known users" in the LAN_to_WAN Firewall Rule, the rule don't match,

if i open a website from a windows 10 client authenticated with AD-User.

Is there a further configuration needed?

Thansk so far

Best regards

Bepo

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 1 year ago in reply to Bepo +1 verified

Then review the article and check for the configuration.

Parents

0 LuCar Toni over 1 year ago

Do you use the Sophos Endpoint or not?
You could use Kerberos (like on UTM), but this is actually rarely used.
Most customers use Endpoint or STAS. It is more easier to use.

Check the online help for more infos: docs.sophos.com/.../index.html

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Bepo over 1 year ago in reply to LuCar Toni

Hello,

thank you for your quick answer.

We wanted to use Kerberos, because we don't have Sophos Endpoint.

But is for Kerberos a special configuration needed?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 1 year ago in reply to Bepo

Did you review STAS and the Kerberos Online Help?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Bepo over 1 year ago in reply to LuCar Toni

We didn't want to use STAS as it is an additional component that needs to be installed on the domain controllers.

Instead, we wanted to use it the same way we did with utm
Cancel
Vote Up 0 Vote Down

Cancel
+1 LuCar Toni over 1 year ago in reply to Bepo

Then review the article and check for the configuration.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Cancel
0 Bepo over 1 year ago in reply to LuCar Toni

Thank you, i will check this :-)
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Bepo over 1 year ago in reply to LuCar Toni

Thank you, i will check this :-)
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data