This document is applicable to all the XG Firewalls running all versions. To integrate the XG firewall with Azure AD, we need to create a new service called “Azure AD Domain services”.
With this integration, administrators can use Azure AD for the following:
Note: SSO with synchronized security and Azure AD needs to meet some specific requirements which are outside the scope of this document.
Azure AD DS replicates identity information from Azure AD to a Microsoft-operated set of domain controllers, so it works with Azure AD tenants that are cloud-only, or synchronized with an on-premises AD DS environment. The same set of Azure AD DS features exists for both environments.
Azure AD domain services offer an LDAP interface to XG that can replicate the working of an on-premise Active Directory. This article assumes there is an existing Azure AD environment in place.
Note: The following step is required for cloud-only user accounts in Azure AD, as the Azure AD account is not synchronized with AD domain services until the user has changed the password by logging in to their office365 login. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD.
Note: Azure accepts self-signed certificates for this purpose. In this example, we use OpenSSL to generate a self-signed chain of certificates. Azure only accepts certs with “extendedkeyusage for server authentication”.
Below is the process to generate self-signed Certs with EKU:serverauth:
$ openssl req -new -key ldapssl_private.key -out azureADldapssl.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) []:CAState or Province Name (full name) []:ONLocality Name (eg, city) []:BurlingtonOrganization Name (eg, company) []:firewallinaboxOrganizational Unit Name (eg, section) []:Sales EngineeringCommon Name (eg, fully qualified host name) []:<yourdomainname>Email Address []:<email@email.com>
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:<Password>
Convert the certificate into PFX format, as Azure accepts the certs in the PFX format.$ openssl pkcs12 -export -out XGazureADcert.pfx -inkey ldapssl_private.key -in azureADcert.crt -certfile azureADca.crtEnter Export Password:Verifying - Enter Export Password:
Next, upload the XGazureADcert.pfx file into Azure AD.
Thanks for the manual, I have a problem at the end of this integration, I import a group all right but when i try to see the users of the group it doesn't appear anyone
It's a shame Azure AD Domain Services is far too expensive for small networks.
Does this just require an Azure AD Premium P1 license for each user, or will there be additional Azure costs as well?
No - You just need a Azure AD (Free). But you need to activate Azure AD Domain Services. Its a separate service compared to AD.
https://azure.microsoft.com/en-us/pricing/details/active-directory-ds/
__________________________________________________________________________________________________________________
Which starts at GBP 81/month for the smallest configuration. Why can't the XG connect directly to Azure AD? Central does.
We're looking to use MFA with MS authenticator app for Sophos SSLVPN. Would this be possible with this approach?
As LDAPs does not support MFA natively, there must be some sort of mechanism in between Sophos Firewall and Azure AD LDAP-service, that only responds with a 'SUCCESS' after the access is approved through the MS authenticator app (2nd factor) and both the correct password (1st factor)? Is this something like 'Azure conditional access' can play a role in?
Sophos supports a Radius server.
See: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/124501/3-ways-to-setup-xg-18-with-duo-2fa
It is a similar request, simply replace duo with Azure MFA. But you need a Radius Server.
Hello,
I have tried to follow these steps, but get to the following :
req -new -key ldapssl_private.key -out azureADldapssl.csr
I get the following error :
"problem creating object tsa_policy1=1.2.3.4.1
47132:error:08064066:object identifier routines:OBG_create:oid exists:crypto\objects\obj_dat.c698:error in req"
Has any got a fix?
Hello, Is it possible to have this Azure AD integration along with an already configured on premise Active Directory within the same Firewall?