Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: A Quick Guide for LDAPS/AD Integration With Windows Server 2022/2019/2012…

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This recommended read guides you through configuring active directory authentication and secure LDAPS on Windows server 2k22-12.

Useful Docs/KBAs related to AD authentication and user group behavior:

  • Group membership behavior with Active Directory
  • *NOTE: After Importing Active Directory groups, to see the users under “Authentication > Users,” the user must authenticate once on any portal, be it a user portal or a captive portal. This is the default architect of the SFOS; the users will not be synced until authentication.

Adding Active Directory Certificate Services

Step1. Access your server manager’s dashboard > Add roles and features

Step2. Select the installation type > Role-based or feature-based installation

Step3. Select server selection

 

Step4. Select server roles > Active Directory Certificate Services

Step5. Select Next on the Features tab, AD DS, AD CS…

Step6. Select Role Services and ensure Certificate Authority is checked.

Step7. Next, turn on the option “Restart the destination server automatically if required.” Click Install.

The installation process will begin, and we’ll wait for the installation process to complete.

Configuring Active Directory Certificate Services

Step1: Post-deployment Configuration

Step2: Select Next on Credentials

Step3: Under Role Services, ensure to turn on the “Certificate Authority” option.

Step4: Select setup type as Enterprise CA

Step5: Select CA type as Root CA

Step6: Select Private key as “Create a new private key”

Step7: Click next on the Cryptography, you can change based on your requirement!!

Step8: You can verify and click next

Step9: You can select the validity period based on requirement; I chose here 99 years

Step10: Click Next on Certificate Database, and on Confirmation, click Configure

It’ll provide you with the results as per the screenshot below:

Testing LDAPS using a LDP tool

Step1. Open Windows PowerShell and type in LDP, which will help us determine if it’s successful or fails.

Step2. Go to connection under the Ldp box and click connect. Under the Server, type in localhost, type the port 636, and tick the option SSL as per the screenshot below:

Step3. And it’s a success. If it fails, just restart the server once and then perform step 2 again you mustbe able to see an output something like this below:

Adding an Active Directory Server with connection security type SSL/TLS

Step1. Under the Authentication > Servers > add

Step2. Now let’s test the connection, and the result is a success

Step3. Now let’s import a group from this AD

Step4. Added a group called TAM

Step5. Select Next on common policies for groups, review the selection and click ok on the following prompt:

Step6. Once the group is successfully imported from the AD, you’ll be able to see group under the Authentication > Groups

Step7. Now upon visiting the user section, we’ll not be able to see the username “Vivek” yet

Now, as per the *NOTE mentioned above, we’ll log into the user portal for the AD username “Vivek”

*Note: Before logging in, ensure that the AD Server is selected under Authentication > Services > Firewall authentication methods.

And then, as soon as you log in with the username credential, we get instant access in

Now, we can also see the user under the authentication > user’s section in the correct group.

 

I hope this article has helped you understand the LDAPS-AD integration and how to import users/groups.




Revamped RR
[edited by: Erick Jan at 5:34 AM (GMT -7) on 10 Oct 2024]