Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I lock down the User Portal to a specific AD Group?

I am manually migrating from UTM 9.X to XG and I am really enjoying this however I can't seem to find where I can lock down the User Portal logins to a particular group in my active directory.


I found where I can control which adapters the user portal is available on (LAN versus WAN) but this seems to evade me :(



This thread was automatically locked due to age.
Parents
  • Hi,


    I am sorry for picking up this topic after 2 months but I may need some more help. I am currently trying to do exactly what JohnDoe2 tried to do, lock down VPN and User Portal to a specific AD Group. In my case this is the VPN-Users group which are the only one who are allowed to acces the portal and create a tunnel!

    In the AD-authentification server setting I added the correct search query which is: "CN=VPN-User,OU=....,DC=...."

    But unfortunatly after that, I am not able to login any more. It does make sense at some point because you can't authentificate the user in the group. But also adding another search query that is more general does not what I want because it created an OR instead of an AND.

    So the basic question is: What search-query is required to limit the login to the users of a specific group?

  • Hi Robert,

    The answer does unfortunately depend on your AD Structure, the search base will lock down which users can authenticate against the appliance. The indication would be that you have possibly gone a little to far in one direction or another and as a result the filter is not returning a list of users to authenticate.

    Your selection of users that can authenticate VPN sessions can be performed as a subset of the user selection criteria based on AD Group Membership.

    Leon Friend

    Sophos Sales Engineer

    Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP

Reply
  • Hi Robert,

    The answer does unfortunately depend on your AD Structure, the search base will lock down which users can authenticate against the appliance. The indication would be that you have possibly gone a little to far in one direction or another and as a result the filter is not returning a list of users to authenticate.

    Your selection of users that can authenticate VPN sessions can be performed as a subset of the user selection criteria based on AD Group Membership.

    Leon Friend

    Sophos Sales Engineer

    Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP

Children
No Data