Sophos XGS Setting up LDAPS for authentication (Port 636) with Two DCs

Hi Rachel Salvadeo Thank you for reaching out to the Sophos community team. If you want both the servers to communicate on LDAPS then yes AD CS feature is required to be enabled on both the AD servers. I do not have AD side expertise/more information, so not sure if enabling it on primary will auto-sync and auto-enable it on Backup DC automatically or not! But you may check the below guide steps and enable it on primary and validate whether another Backup AD has synced those settings or not, If not then you may enable it same settings on the 2nd AD server as well manually.

Sophos Firewall: A Quick Guide for LDAPS/AD Integration With Windows Server 2022/2019/2012
community.sophos.com/.../sophos-firewall-a-quick-guide-for-ldaps-ad-integration-with-windows-server-2022-2019-2012

Thank you for the guidance.

I'm just going to share what happened when I implemented this because it seems to have worked.

I installed the AD CS role on just the Primary DC, configured it, and then rebooted it to enable LDAPS. I tested LDAPS using ldp and it was working.

I checked the Backup DC to see if the AD CS role was on it but it was not. However, running ldp to verify if LDAPS was enabled showed that it was.

I configured both DCs in the Sophos firewall to use SSL/TLS with port 636 and it seems to be working when I tested connectivity for each DC from the Sophos firewall.

Thank you Rachel Salvadeo for sharing the detailed information for community users' reference on the steps taken, I am glad to hear that you managed to fix the issue based on the suggested steps.