Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 1611 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Firewall in HA - How many computer accounts should you see in Active Directory

Marcel Micallef

Hi All,

We have 2 Sophos XG Firewalls setup in HA and using NTLM / Kerberos authentication.  

We notice that in Active directory there is only one firewall computer account showing and was wondering if that is ok or if there should be 2 accounts ( one for each firewall ).

If there should be one for each firewall then how does one go about it to create the second one ?

thanks



This thread was automatically locked due to age.
  • 0

    I only see one of my Sophos XGS in HA

    I assume its as only one is active and the secondary only shows up when Primary fails and it takes on the settings of Primary - that way only one is really live and identical.

    Thats my take on it - please correct me if incorrect.

  • 0

    Just wanted to look into the general usage of Kerberos/NTLM: Why do you use it in general? I see a lot of UTM customers migrating to SFOS and seeing Kerberos as the "go to option" while there are other, maybe more suitable options out there. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I can say in our case its a combination of Legacy and unknown.

    I have had Sophos Firewall from ways back in v15 days and CyberRoam before that.

    When we first installed XG it was set that way as STAS was too flaky (still is today) and it offered an alternative.

    How would you suggest we set up the XGS today in a perfect world with STAS enabled. 

    We face many issues with users who don't always logon / Sign in to their Laptops - open the lid and carry on thus failing STAS Auth as there is no event etc.

    Also many of the Mobile devices are similar - we use a RADIUS server to authenticate but XGS is hit and miss on it.

    Thanks my honest take on it.

  • 0 in reply to LuCar Toni

    In my case, Kerberos is ideal it enables users to automatically authenticate to sophos without the need of any clients to be installed on the PC. Another thing is that with kerberos authentication you simple authenticate against the domain and as such on the domain controller there is no need to install any interface as well thus making it simpler in my opinion.

  • 0 in reply to m8ey-au

    Seems you are right, i raised a case with sophos on this as well and their reply is that only one will be registered.

    thanks

Unfiltered HTML