XGS 19.6: AD user prefetch icl. Mail attribute

Question

Hello, 
 In Sophos UTM SG there was a user prefetch - I am really missing this feature because I need to send quarantine-mails to every user on our on-prem exchange. 
 Can&acute;t believe that this is not longer implemented and users are only created when they login the first time? 
 
 There is no need for any of our users to logon at our firewall. 
 VPN is not needed because every modern OS has its own client an we do roll out fully configured devices. 
 WebProxy is transparent. 
 Mail-Release-Self-service becomes a henn-egg-problem: If there is no user, there will be no mail-address to send a quarantine report to inform that user that he has to login into the XGS to release a mail. 
 
 So how can we create/change users in our AD and can publish that to XGS automatically? (push or pull) 
 I do not believe that the XGS became worse than old SG/astaro.

Chris69 · Accepted Answer

Finally I found a solution for my initial question and the question about authenticating L2TP to AD user group: 
 1.) On the RADIUS Server: 
 make sure there is a network rule which includes both: - AD group membership "VPN users" AND 
 - client IPv4 address from the XGS 
 Make sure there is no other rule like "all authenticated windows users" later enabled. 
 Make sure there is no other rule with no combined group AND client-IP address (e.g. for WLAN auth...) 
 
 2.) On XGS: 
 - configure AD Authentication server with 
 " Display name attribute" = "displayname" and 
 "Email address attribute" = "mail" 
 - The FIRST AD group you have to import must be ""VPN Users" 
 - Under "Authentication" - "Services" change the default group to "VPN users" 
 - configure the RADIUS Authentication server 
 - put the RADIUS Authentication Server at the first line for Firewall and IPSEC/L2TP 
 
 Now I can confirm that: 
 1.) Non existent users (on the XGS) with NO AD membership of "VPN users" cannot authenticate within a L2TP connection attempt 
 2.) Non existent users (on the XGS) WITH AD membership of "VPN users" can authenticate within a L2TP connection attempt 
 3.) As soon as they connected with L2TP for the first time the users is created on the XGS, the AD group membership is visible under "Other group memberships" AND, tadaaa: with the correct E-mail address

LuCar Toni · Answer

I do always recommend to move to CEMA instead. There is/was a promo to move to CEMA instead of using the Email Protection on SFOS. 
 So comparing UTM to CEMA, CEMA is far ahead of protection, detection and usability.

LuCar Toni · Answer

UTM Email is basically the technology of 2013. The features used there and the technology used there is not adjusted to modern requirements. SFOS Email does the same like UTM and it is stuck in the same situation. 
 You can go one step back and talk about: What to do with attachments? If you talk to UTM Customers, they start to "Quarantine" those Emails and the Admin is doing there "one per day" cleanup process. Is this actually "the way to go"? How does the Admin actually decide to release the Email? I saw UTM customer "downloading" the Email to there windows machine and looking at the attachment with Notepad++. 
 In CEMA: You strip the attachment, the Email will go to the Recipient but the attachment is "bill.docs.txt" with "Your email was stripped, go to IT". IT can then check the Attachment, as the attachment is in the Quarantine. They can do a Intelix Report of this Email as well. Then they release the Email to the user and the user get the original Email with the original Attachment. See: Quarantine and policy enhancements 
 Another approach: Using different Policies for different situations: Accept DOCX from one Domain, but not from ANYBODY. Then add other approaches like "Quarantine this Email and Strip from the others". This is technology coming from SEA (Sophos Email Appliance). 
 CEMA, as it is a Central Cloud Based Solution, uses AI as well. https://ai.sophos.com/demos/ You can watch how it works here. Every Link within every Email is being checked and replaced by the AI Engine and can be blocked by users to access it. It is called Time of Click. You talk about "Web Filtering". But what about a mobile phone? I can click on the Link with my phone, which could be not behind a firewall? How do you do inspection of a iOS Phone anyway? 
 Then based on AI, CEMA uses the AI to score an Email to find an Impersonation - Which means, does the attacker try to figure out a "look a like domain" and send you an Email? For Example: S0phos.com 
 SPF helps your for MAIL-FROM Spoofing. What about FROM Spoofing? I can use a perfectly fine domain, call it attacker.com, send a Email called badguy@attacker.com as MAIL-FROM, your UTM will check the SPF but then i rewrite the FROM to "printer@sophos.com". Sounds familiar? This was/is a normal attack chain. And SPF cannot deal with this. See: https://www.usenix.org/system/files/sec21-shen-kaiwen.pdf You need some sort of AI to prevent this from happening. CEMA has it. 
 Looking at XDR: You can fetch every data from CEMA into XDR. Which means, if you find an Suspicious Attachment within your company: Check the "origin" of this Email by query the Datalake and check: Came it via Email - who sent it? When? What did Intelix say about this Attachment, who else got this Attachment etc. See: https://techvids.sophos.com/watch/ZXbHeYH2bxj9JcuhQRs6TN 
 Talking about "old stuff": Greylisting is dead. Modern solutions do this with own technologies: Sophos Labs, as they hold the MX Records, can actually in real time see Campaigns. So they are able to see some attacks pilling up and with a modern approach of technologies, you can start to delay such emails first on the Gateway and check what is going on, until you release this to the customer Email Server. This is automated and observed by Analysts within SophosLabs. No way to do this on a decentralized solution like a firewall, as getting back the telemetry and trying to figure out what is going on takes to long. 
 Looking into the future: If you want to go the direction to M365 or others, CEMA is able to support that with Mailflow and not doing a MX Record rewriting. 
 I can do more, if you want. But that is just a rough overview of CEMAs Toolkit compared to UTM/SFOS.

XGS 19.6: AD user prefetch icl. Mail attribute

Top Replies