SSL VPN users authenticated by AD Security Group

Question

Hi all, 
 
 I have an instance of Sophos UTM running in AWS. I have set up a remote authentication server with our AD and all is working fine. There is a security group in AD that is intended for SSL VPN users. 
 I have created a backend membership group on the UTM and limited it to the SSL VPN group in AD.

I have set up and tested SSLVPN with the default "Active Directory Users" group and it is fine. Users can log into the User Portal and access the Remote Access menu to download the installer and can connect and access internal resources. The issue begins when I change the group on the SSL VPN config to the SSL VPN Users group as per screenshot above. 
 When I do this, the Remote Access options disappears from their User Portal and they can no longer connect.

It looks like the UTM can't see the membership of that group, but I added the group to Prefetch list and ran a prefetch and it finds the group members and creates them on the UTM as per the log below. 
 
 2017:04:21-16:31:48 utm user_prefetch[12013]: ------------------------------------------------------------ 
 2017:04:21-16:31:48 utm user_prefetch[12013]: Starting synchronization for adirectory 
 2017:04:21-16:31:48 utm user_prefetch[12013]: ------------------------------------------------------------ 
 2017:04:21-16:31:48 utm user_prefetch[12013]: ------------------------------------------------------------ 
 2017:04:21-16:31:48 utm user_prefetch[12013]: Searching for users 
 2017:04:21-16:31:48 utm user_prefetch[12013]: ------------------------------------------------------------ 
 2017:04:21-16:31:48 utm user_prefetch[12013]: Connecting to ldap server 
 2017:04:21-16:31:48 utm user_prefetch[12013]: ldap server: ldap://192.168.0.X:389 
 2017:04:21-16:31:48 utm user_prefetch[12013]: Context 'CN=Sophos UTM SSLVPN Users,OU=Security Groups,OU=MyBusiness,DC=XXX,DC=local' is a group. Adding group members: 
 2017:04:21-16:31:48 utm user_prefetch[12013]: CN=test1,OU=Test Accounts,OU=Users,OU=MyBusiness,DC=XXX,DC=local 
 2017:04:21-16:31:48 utm user_prefetch[12013]: ------------------------------------------------------------ 
 2017:04:21-16:31:48 utm user_prefetch[12013]: Performing ldap search: 
 2017:04:21-16:31:48 utm user_prefetch[12013]: searching 'CN=test1,OU=Test Accounts,OU=Users,OU=MyBusiness,DC=XXX,DC=local' 
 2017:04:21-16:31:48 utm user_prefetch[12013]: Ldap search returned 1 users 
 2017:04:21-16:31:48 utm user_prefetch[12013]: Search time: 0m 0s 
 2017:04:21-16:31:48 utm user_prefetch[12013]: ------------------------------------------------------------ 
 2017:04:21-16:31:48 utm user_prefetch[12013]: Adding/updating users 
 2017:04:21-16:31:48 utm user_prefetch[12013]: ------------------------------------------------------------ 
 2017:04:21-16:31:48 utm user_prefetch[12013]: # 1 Updating user test1 
 2017:04:21-16:31:48 utm user_prefetch[12013]: 1 user objects were found: 
 2017:04:21-16:31:48 utm user_prefetch[12013]: 0 users were created 
 2017:04:21-16:31:48 utm user_prefetch[12013]: 1 user was updated 
 2017:04:21-16:31:48 utm user_prefetch[12013]: 0 users are authenticated locally. 
 2017:04:21-16:31:48 utm user_prefetch[12013]: Overall time: 0m 0s

Any ideas? Am I doing something wrong here or is this a bug?

DouglasFoster · Answer

If you have sufficient reason to not enable AD SSO: 
 You can probably solved the group membership problem if you create a local group called "SSL VPN LOCAL", then put your prefetched users into it. 
 You should also test the UTM behavior when your prefetched user is (a) locked out, (b) disabled, or (c) deleted from Active Directory. I wonder if some users will remain enabled in UTM even after they are disabled or deleted in AD. This is not something that I know, just something that I think you need to know, and therefore you need to test. (Using AD SSO will definitely avoid any risks of this type, and it will keep the group maintenance in AD, where I prefer to do user management.) 
 If you can convince support that you have a bug, it will take time to work up the escalation chain, and even longer to wait for the bug to be fixed in a future release. So you need a workaround in the short term, and this or the previous comment should get you where you want right away.