Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 801 views
  • Users 0 members are here
Options
Suggested

How to add Aure AD to Sophos Firewall

Viet Ton

Dear all,

I would like to get to support from all of you show me guide how to add the AD Azure to the Sophos Firewall

Best regards,

Viet Ton



Added TAGs
[edited by: Erick Jan at 6:33 AM (GMT -7) on 1 Oct 2024]
  • 0

    Hi Viet Ton,

    Thank you for reaching out to Sophos Community.

    Kindly check the following for reference, which might assist you.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    Hi Erick,

    Thanks for your replied,

    I tried to do with Integrate Sophos Firewall with Azure AD, but I don't how to do at step below

    • To create the Certificate Authority Private Key and Certificate, you first need to create a private key for the CA with the name azureADca.key.

      $ openssl genrsa -out azureADca.key 4096
      Generating RSA private key, 4096 bit long modulus
      ..........................................................................................................................................................++
      ................++
      e is 65537 (0x10001)

    • Create the CA certificate to be used to validate signed certificates, called azureADca.pem.

      $ openssl req -x509 -new -nodes -key azureADca.key -days 3650 -out azureADca.pem
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) []:CA
      State or Province Name (full name) []:ON
      Locality Name (eg, city) []:Burlington
      Organization Name (eg, company) []:<Your org>
      Organizational Unit Name (eg, section) []:Salesengineering
      Common Name (eg, fully qualified host name) []:<Commaon name>
      Email Address []:email@email.com

    • Create a text file and copy/paste the below text. Save the file as “azureAD-eku.conf” or any name you choose.

      [client_server_ssl]
      extendedKeyUsage = serverAuth

    • Now that this file exists, you must generate a private key for the LDAP cert with the name “ldapssl_private.key”.

      $ openssl genrsa -out ldapssl_private.key 4096
      Generating RSA private key, 4096 bit long modulus
      ...................................++
      ..........++
      e is 65537 (0x10001)

    • Next, create a certificate signing request to sign with the CA you previously created with the name “azureADldapssl.csr” and fill in the following values in yellow.

      $ openssl req -new -key ldapssl_private.key -out azureADldapssl.csr
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) []:CA
      State or Province Name (full name) []:ON
      Locality Name (eg, city) []:Burlington
      Organization Name (eg, company) []:firewallinabox
      Organizational Unit Name (eg, section) []:Sales Engineering
      Common Name (eg, fully qualified host name) []:<yourdomainname>
      Email Address []:<email@email.com>

      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:<Password>

    • You now need to sign the request, while including the signing extensions created earlier. The following command will create the signed cert named “azureADcert.crt”.

      $ openssl x509 -req -extensions client_server_ssl -extfile azureAD-eku.conf -in azureADldapssl.csr -CA azureADca.pem -CAkey azureADca.key -CAcreateserial -out azureADcert.crt -days 365
      Signature ok
      subject=/C=CA/ST=ON/L=Burlington/O=firewallinabox/OU=Sales Engineering/CN=firewallinabox.tk/emailAddress=email@email.com
      Getting CA Private Key
      $

    • Convert the certificate into PFX format, as Azure accepts the certs in the PFX format.

      $ openssl pkcs12 -export -out SophosazureADcert.pfx -inkey ldapssl_private.key -in azureADcert.crt -certfile azureADca.crt
      Enter Export Password:
      Verifying - Enter Export Password:

      Could you please shown me more.Thanks youViet Ton

Unfiltered HTML