Hi there,
i'm securing our company network a little bit more and want to use the "Match User"-Feature within the fw rules.
We're running a central Sophos XG135 cluster an a bunch of branch offices, which are connected via pfSense and IPSec-tunnels. Our clients use Sophos Intercept X as AV-solution and Sophos Connect for SSLVPN.
Actually, the Sophos FW uses two MS ActiveDirectory-Authenticationservers - we've two MS DC's for our internal domain; a colleague told me, that he has to setup two authentication servers, because he can't add on Auth-Services witch points to two DC's.
Because you can't add a second Auth-Server with the same Windows Domain name, he used "domain.tld" in the one, and "domain.local" in the other. Technically, it works without any problems - but some users are created on the sophos with "username@domain.tld", and some with "username.domain.local" - depending, which domain controller was contacted as the user has first logged in to sophos.
With this info in mind, i've searched a little bit for sophos howtos to connect a sophos fw to Active Directory. With multiple MS DC's, i should use STAS instead of entrys under Authentication -> Servers -> ActiveDirectory.
I think, that i heard, that STAS is deprecated - so i want to ask in the community:
- What is the actual/recommended way to connect a sohpos xg to a Microsoft AD?
- How to i resolve my issue with the different named user accounts? As i understand the howtos, i could "Purge AD Users". But there are Sophos-MFA linked to these accounts. And if i understand it right, the Users are not active synced from the AD to sophos; the users had to login to the User Portal - and in this moment, they were created on the sophos, if the authentication was successfully. So i guess, if i purge the users, alle users can't connect via SSLVPN till they once log in to the user portal. Is that correct?
Thanks in advance,
Bastian
This thread was automatically locked due to age.