Sophos UTM AD integration

Question

Hello community, 
 I'm about to integrate our Sophos UTM to our newly created Active Directory domain (AD,DNS). In order for this operation to go as smoothly as possible, here are the list of changes that i will be doing beforehand in th UTM. Please let me know if i'm missing something: 
 
 1- DNS: 
 Network Services > DNS > Request Routing: Specify internal DNS server 
 
 2- Specify authentication servers: 
 Definitions & Users > Authentifcation Services > Servers: add both of our domain controllers in there 
 
 3- Join Sophos UTM to domain: 
 Definitions & Users > Authentifcation Services > SSO

One question though, should i remove all networks listed under "Allowed Networks" (Even REDs networks) on the "Network Services > DNS > Global" section since we will be running an internal DNS server? 
 
 Am i missing anything? 
 
 Cheers.

DouglasFoster · Answer

Sophos has not explained the relationship between joining the domain and configuring an AD authentication server. Here is what I think is involved: 
 
 Domain join is needed for web filter to do transparent authentication (AD SSO). It is sufficient for all domains that are trusted by the connected domain. I don't think there is any way to do AD SSO for a second domain that is untrusted. 
 AD Authentication server is used for logins to User Portal, WAF, SSL Client, and optionally WebAdmin. AD Authentication server is probably needed to evaluate group memberships for web filter policy enforcement. 
 
 At any rate, I joined my UTM to the domain before I configured the AD authentication server, because I assumed that order was necessary. 
 Authentication servers are evaluated in order of precedence. You can actually see this step-by-step process in the user authentication log. If you configure two domain controllers for the same domain, any single typing error will be attempted and rejected by each configured authentication server. This will cause user lockouts to happen twice as fast, so you need to decide if this is acceptable. I have only configured one DC, but mine have very high uptime, so it has not been a problem. As a compromise, you might consider configuring both domain controllers but leaving the secondary one disabled until it is needed, and then enable it manually. 
 Web Filter needs Reverse DNS lookups if you want it to contain host names instead of IP addresses. In an environment where most addresses are distributed by DHCP, host names may be preferable, so it may be desirable to configure DNS forwarders for in-addr.arpa address ranges as well as your forward lookup ranges. 
 Web filtering is the strongest part of UTM, but it has some complexity. Firewall Rules behavior is the weakest and least intuitive. I have attempted to document everything that I wished was in the Administration Manual. Most of that material is in the Recommended Read section. There is also a Web Filter Lessons Learned at the top of the Web Filter topic/forum area.