Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I lock down the User Portal to a specific AD Group?

I am manually migrating from UTM 9.X to XG and I am really enjoying this however I can't seem to find where I can lock down the User Portal logins to a particular group in my active directory.


I found where I can control which adapters the user portal is available on (LAN versus WAN) but this seems to evade me :(



This thread was automatically locked due to age.
  • You can do this by modifying the "Search Queries" in the Authentication Server configuration, many engineers use a generic top level search query which will authenticate anyone in the active directory tree. (for example "dc=domain,dc=local")
    This makes initial deployment easy as it can often be difficult in some networks to determine the most effective way to limit it further.

    If you narrow the search query further you can limit user authentication to specific sections of your active directory tree or even down as far as a group. Care needs to be taken though as this narrows the authentication for all users of the authentication server (even SSO users, which might be authenticating via STAS or SATC)

    Don't forget even if you don't limit the authentication event it's self you can still limit access to resources such as the internet via a User rule in your policy base. This can be easier in that you authenticate absolutely all users and then only provide internet access to the chosen group.

    Leon Friend

    Sophos Sales Engineer

    Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP

  • Hi,


    I am sorry for picking up this topic after 2 months but I may need some more help. I am currently trying to do exactly what JohnDoe2 tried to do, lock down VPN and User Portal to a specific AD Group. In my case this is the VPN-Users group which are the only one who are allowed to acces the portal and create a tunnel!

    In the AD-authentification server setting I added the correct search query which is: "CN=VPN-User,OU=....,DC=...."

    But unfortunatly after that, I am not able to login any more. It does make sense at some point because you can't authentificate the user in the group. But also adding another search query that is more general does not what I want because it created an OR instead of an AND.

    So the basic question is: What search-query is required to limit the login to the users of a specific group?

  • Hi Robert,

    The answer does unfortunately depend on your AD Structure, the search base will lock down which users can authenticate against the appliance. The indication would be that you have possibly gone a little to far in one direction or another and as a result the filter is not returning a list of users to authenticate.

    Your selection of users that can authenticate VPN sessions can be performed as a subset of the user selection criteria based on AD Group Membership.

    Leon Friend

    Sophos Sales Engineer

    Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP