Sophos XGS Setting up LDAPS for authentication (Port 636) with Two DCs

Question

Hey all, 
 I have a question that seems to not be addressed in any other related community forum I could find. 
 I have two DCs, one of them being the Primary DC and the other being the Backup DC. Both DCs are replicating changes to each other. In the current environment, they are both setup to use LDAP for authentication in the Sophos XGS firewall, not LDAPS. 
 I am wondering if the AD CS server feature which is required for the Sophos XGS firewall to use LDAPS for authentication would have to be installed on ONLY the Primary DC and not both. 
 Any guidance for this would be greatly appreciated. 
 Thank you!

Vishal_R · Accepted Answer

Hi Rachel Salvadeo Thank you for reaching out to the Sophos community team. If you want both the servers to communicate on LDAPS then yes AD CS feature is required to be enabled on both the AD servers. I do not have AD side expertise/more information, so not sure if enabling it on primary will auto-sync and auto-enable it on Backup DC automatically or not! But you may check the below guide steps and enable it on primary and validate whether another Backup AD has synced those settings or not, If not then you may enable it same settings on the 2nd AD server as well manually.

Sophos Firewall: A Quick Guide for LDAPS/AD Integration With Windows Server 2022/2019/2012
community.sophos.com/.../sophos-firewall-a-quick-guide-for-ldaps-ad-integration-with-windows-server-2022-2019-2012

Sophos XGS Setting up LDAPS for authentication (Port 636) with Two DCs

Top Replies