Hey guys, reaching out for some much-needed help. Have read similar posts but nothing makes sense to me in them.
I have purchased a certificate as well as created a local active directory certificate server. (All Witchcraft to me)
Have installed them on the sophos XG firewall under Certificates. All working well it appears.
I go to:
Configure -> Authentication -> Servers and set up my SSL/TLS connection to active directory.
Select Test Connection and all is good.
However, when I select Validate server Certificate I get:
What is the firewall doing here, which server is down or unreachable? Is it my Root CA server that is in active directory? Or is it the domain controller? (CA is install on a Domain Member, not on the domain controller)
Note: Firewalls are not active on the Windows Domain Controller and Domain Members.
All active directory servers and workstation are on the local network. I don't think I am restricting anything on the local network. Or is there a predefined rule that does?
What am I missing here? Any advice would be greatly appreciated.
Thankyou.
Hello Christopher Kurdian ,Thank you for reaching out to the community, please refer the following article - Sophos Firewall: A Quick Guide for LDAPS/AD Integration With Windows Server 2022/2019/2012…
Thanks & Regards,_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
Thanks for your prompt response. Unfortunately, it doesn't answer my questions. ldp.exe seems to be superseded as well. Can't find it anywhere. Regardless going through the documentation steps as best I could I concluded my setup is working.
However as mentions above, my "Validate Server Certificate" fails.
"What is the firewall doing here, which server is down or unreachable? Is it my Root CA server that is in active directory? Or is it the domain controller? (CA is install on a Domain Member, not on the domain controller)"
Some insight into this would be greatly appreciated.
And what if you untick the option "validate server certificate." and then click on the test connection ?To check further we can enable the access_server service in debug enable the option "validate server certificate." and check the logs.On the CLI, select option 5. Device Management, then option 3. Advanced Shell. 1.) To enable/disable debug: service access_server:debug -ds nosync2.) To check debug logs: tail -f access_server.log .........................................[Perform the connection test and fetch the results in the logs]
Thanks again for the prompt reply.
Question: And what if you untick the option "validate server certificate." and then click on the test connection ?
Answer: I get the Green, Device - AD server connectivity test successful
I can authenticate through Active directory fine.
Thanks, I will try what you suggested above tonight and see how I go and report back.
Much appreciated.
Good Afternoone Vivek,
Probably want to tell people they need to change path with those instructions
Logs show the following.
Hmmmm, hostname does not match CN in peer certificate???
So, I have removed my root ca from active directory (Following these steps, successfully Remove CA from Active Directory • Nolabnoparty) Will follow your instructions for installing a root CA and see how I go. Sophos Firewall: A Quick Guide for LDAPS/AD Integration With Windows Server 2022/2019/2012… - Recommended Reads - Sophos Firewall - Sophos Community. Hopefully this fixes the issue. Will post back later on how I went.
Thank you for the update Christopher Kurdian
Ok No Luck, there must be a step missing??
I can connect and authenticate without "Validate server certificate" Ticked. Once Ticked I get the error message below as before.
ldp can be run on the Active Directory
ld = ldap_sslinit("localhost", 636, 1);Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);Error 0 = ldap_connect(hLdap, NULL);Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);Host supports SSL, SSL cipher strength = 256 bitsEstablished connection to localhost.Retrieving base DSA information...Getting 1 entries:Dn: (RootDSE)
Are you using any external certificate on your AD ? As the option "Validate server certificate." is to Validate the certificate on the external server for a secured connectionAnd if not then with that option disabled, the functionality will not be affected, may we know your use case to use the option of validating the certificate ?
No, I'm not, AD is using an Internal Cert from the internal CA I thought. "Validate server certificate" is for the external server? I thought this for TLS comms to AD; a Cert from the internal certificate server (hence why the tutorials get us to setup an internal CA?) I recently purchased a certificate from rapidSSL for my public domain name with wildcard. I thought I installed it correctly as well. So, I have installed the intermediate Certificate for Rapid SSL and the Root Certificate for my internal CA as per: Import a certificate - Sophos Firewall. Sorry I am very green to all this but what to fully understand how its working, greatly appreciate your feed back. I think I will follow this tonight. It may have something to do with my issue perhaps: (+) Sophos xg can't resolve own hostname and internal server - Discussions - Sophos Firewall - Sophos Community (They seem to have the CN issue as well).