Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS AD SSO not really working

Hello,

we are migrating a lot of customers from UTM to XGS/SFOS. With UTM the customers used AD SSO for authentication for web protection (different AD-groups and webfilter profiles). With UTM we never had any issue with AD SSO! Now with SFOS we ALWAYS have different issues to get AD SSO working. Sometimes it works for some users, sometimes we see all the live users with AD-SSO, sometimes for some users it is not working or after a while it suddenly stops working for everybody...

We are also up2date with SFOS 20.

It is completely unsatisfied for us and we have to use a lot of time for trouble shooting and sophos support. And support always collect logs for weeks and did not find a really solution. Than it is working some days but after a while new issues...This feature seems not to work in the way we would expect it or like it was with UTM and it becomes a little bit of a migration showstopper...

Anybody here really use AD SSO with SFOS for user authentication for web filtering without any problems/issues?

We know there is also STAS for authentication that may work in a better way but our customers used AD SSO before with UTM without any problems. So no changes on customer side except the new sophos firewall. For STAS also the customer would need an additional Windows Server Licence (because it is not recommended to use STAS on DCs...) and maybe sometimes this part of software have to be updated or becomes EOL (like SATC)...

regards



This thread was automatically locked due to age.
  • From the current installation base, most have STAS or Endpoint as authentication. Only a small portion of customers use AD SSO, due the fact of how it works (it requires a Web Authentication, which makes it most of the time only applicable for Web Proxy usage). 

    Nevertheless, we have a lot of bigger customers with 1k+ User and Web Proxy (UTM / Web Appliance migration) without any problem. 

    Most problems are caused by the same problems, which had UTM as well. Hostname was not a FQDN, not enough rights, could not join the AD. 

    There are sometimes problems with the client, like the Standard Proxy is not setup properly, the Firewall is not in trusted zone etc.

    SFOS compared to UTM has the difference with the AD Server approach --> AD Server are aware of the domain and if the UPN is different from the SAMAccountname, then you need to double setup the AD Server -->  Sophos Firewall: Create multiple AD Server entities in SFOS for multi domains  

    __________________________________________________________________________________________________________________