Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 40 subscribers
  • Views 1411 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XGS Setting up LDAPS for authentication (Port 636) with Two DCs

Rachel Salvadeo

Hey all,

I have a question that seems to not be addressed in any other related community forum I could find.

I have two DCs, one of them being the Primary DC and the other being the Backup DC. Both DCs are replicating changes to each other. In the current environment, they are both setup to use LDAP for authentication in the Sophos XGS firewall, not LDAPS.

I am wondering if the AD CS server feature which is required for the Sophos XGS firewall to use LDAPS for authentication would have to be installed on ONLY the Primary DC and not both. 

Any guidance for this would be greatly appreciated.

Thank you!



This thread was automatically locked due to age.
Parents
  • +1

    Hi  Thank you for reaching out to the Sophos community team. If you want both the servers to communicate on LDAPS then yes AD CS feature is required to be enabled on both the AD servers. I do not have AD side expertise/more information, so not sure if enabling it on primary will auto-sync and auto-enable it on Backup DC automatically or not! But you may check the below guide steps and enable it on primary and validate whether another Backup AD has synced those settings or not, If not then you may enable it same settings on the 2nd AD server as well manually.

    Sophos Firewall: A Quick Guide for LDAPS/AD Integration With Windows Server 2022/2019/2012
    community.sophos.com/.../sophos-firewall-a-quick-guide-for-ldaps-ad-integration-with-windows-server-2022-2019-2012

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Thank you for the guidance.

    I'm just going to share what happened when I implemented this because it seems to have worked.

    I installed the AD CS role on just the Primary DC, configured it, and then rebooted it to enable LDAPS. I tested LDAPS using ldp and it was working.

    I checked the Backup DC to see if the AD CS role was on it but it was not. However, running ldp to verify if LDAPS was enabled showed that it was.

    I configured both DCs in the Sophos firewall to use SSL/TLS with port 636 and it seems to be working when I tested connectivity for each DC from the Sophos firewall.

Reply
  • 0 in reply to Vishal_R

    Thank you for the guidance.

    I'm just going to share what happened when I implemented this because it seems to have worked.

    I installed the AD CS role on just the Primary DC, configured it, and then rebooted it to enable LDAPS. I tested LDAPS using ldp and it was working.

    I checked the Backup DC to see if the AD CS role was on it but it was not. However, running ldp to verify if LDAPS was enabled showed that it was.

    I configured both DCs in the Sophos firewall to use SSL/TLS with port 636 and it seems to be working when I tested connectivity for each DC from the Sophos firewall.

Children
Unfiltered HTML