This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setting up AD-sync / Group-Membership

Hello,

I decided to sync my Sophos with AD. The reasons are two: VPN Group-Sync from AD, and Webfiltering that should be user-based.

Reading the manual, reading forums, I decided to set it up.

Basically, Sophos seems to sync with AD. I tried prefetching, and that created users on the Sophos (but that is not what I want - now I have a bunch of local users). What I really want is Sophos "reading" the Group Membership in the AD, and then deciding if it's OK to access...

So what I basically did:

I created a dynamic membership group for VPN Users on the Sophos, and limited it to the single AD-Group, which contains users that should have SSL VPN access.

While I can confirm that if I prefetch the user, he is able to connect to the VPN with his windows password, but if I delete the user on the Sophos, and leave the group only, VPN connection fails.

For other settings, I have (in Authentication Services -> Advanced) AD Group Membership background sync enabled. I also synchronized manually. Prefetch is now empty, as I don't want it creating any users. And of course, this group on the Sophos (which is now synced with the AD group) is the one that is now in the VPN profile.

Reading this post, I'm thinking it must be possible:

https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/34038/how-to-sync-active-directory-users

I also checked the logs for VPN and authentication services:

VPN:

2020:05:06-21:53:40 xxxxxx openvpn[5144]: xx.xxx.xx.xxx:xxxxx SENT CONTROL [username]: 'AUTH_FAILED' (status=1)
2020:05:06-21:53:45 xxxxxx openvpn[5144]: xx.xxx.xx.xxx:xxxxx SIGTERM[soft,delayed-exit] received, client-instance exiting
 
Auth Services:
2020:05:06-21:53:39 xxxxxx aua[3528]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 20"
2020:05:06-21:53:39 xxxxxx aua[29630]: id="3006" severity="info" sys="System" sub="auth" name="Trying ip-domain-controller (adirectory)"
2020:05:06-21:53:39 xxxxxx aua[29630]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="ip-vpn-client" host="" user="username" caller="openvpn" reason="DENIED"
 
Why denied?? Wat am I missing? Apparently Sophos is not querying the AD for the credentials and/or not passing them to the VPN profile. Any ideas?

Thank you



This thread was automatically locked due to age.
Parents
  • Hi Kosta

    The SSL-VPN-Solution on the UTM is an OpenVPN-Server which is additionally activated to make use of user based Certificates.

    Therefore a profile consists of four mandatory Parts:

    1. Configuration information (Servername, Port, Cyphers, etc.)

    2. Server Certificate to valitade the Server-Peer

    3. User Certificate to validate the Client-Peer

    4. User private key from the user certificate

    Part 3. and 4. are calculated by the UTM during user creation and stored locally on the UTM within the user object.

    It can't be stored in the AD. Therefore you need the local user object on the UTM which matches with the AD-Object.

    During VPN-Connection both has to be established: Certificate based OpenVPN-Connection and authentication (locally or Backend/ AD). Additionally you might setup a third factor on the UTM which can be a time based OneTimePassword (tOTP), which will be authenticated locally in parallel to the backend athentication.

    User creation can be done automatically during logon or via prefetch mechanism.

    In short: No local user -> no ssl-vpn-Possibility with the UTM (same on XG-Firewall, as far as I know).

    If you accept the local User-Object (which never has to be touched anyway and is allways held in sync by the UTM), You'll get a nice multifactor VPN-Solution which is nearly an additional free gift on the UTM.

    Negative: It is a very old version of the OpenVPN-Server and Sophos ist very slow on updating and neither communicates changes in a proper way if they happen. Additionally the client tap-driver is signed with a Sophos certificate which expired in 2016 (ridiculous for a company which provides "security").

    On the roadmap of Sophos there is a change to the Sophos VPN-Client (beta-Version is avalable for 1,5years already), which can establish SSL and IPSec-Connections. There they leave out the certificate which is a strong regression (in my opinion) -> but it might work without a local user object - I don't know.

    If you evaluate that -> please give Feedback in your post.

    Cheers, Janbo

    ---

    janbo.noerskau@comedia.de UTM lover ;-)

Reply
  • Hi Kosta

    The SSL-VPN-Solution on the UTM is an OpenVPN-Server which is additionally activated to make use of user based Certificates.

    Therefore a profile consists of four mandatory Parts:

    1. Configuration information (Servername, Port, Cyphers, etc.)

    2. Server Certificate to valitade the Server-Peer

    3. User Certificate to validate the Client-Peer

    4. User private key from the user certificate

    Part 3. and 4. are calculated by the UTM during user creation and stored locally on the UTM within the user object.

    It can't be stored in the AD. Therefore you need the local user object on the UTM which matches with the AD-Object.

    During VPN-Connection both has to be established: Certificate based OpenVPN-Connection and authentication (locally or Backend/ AD). Additionally you might setup a third factor on the UTM which can be a time based OneTimePassword (tOTP), which will be authenticated locally in parallel to the backend athentication.

    User creation can be done automatically during logon or via prefetch mechanism.

    In short: No local user -> no ssl-vpn-Possibility with the UTM (same on XG-Firewall, as far as I know).

    If you accept the local User-Object (which never has to be touched anyway and is allways held in sync by the UTM), You'll get a nice multifactor VPN-Solution which is nearly an additional free gift on the UTM.

    Negative: It is a very old version of the OpenVPN-Server and Sophos ist very slow on updating and neither communicates changes in a proper way if they happen. Additionally the client tap-driver is signed with a Sophos certificate which expired in 2016 (ridiculous for a company which provides "security").

    On the roadmap of Sophos there is a change to the Sophos VPN-Client (beta-Version is avalable for 1,5years already), which can establish SSL and IPSec-Connections. There they leave out the certificate which is a strong regression (in my opinion) -> but it might work without a local user object - I don't know.

    If you evaluate that -> please give Feedback in your post.

    Cheers, Janbo

    ---

    janbo.noerskau@comedia.de UTM lover ;-)

Children
  • Hah, I was thinking somewhere along those lines: no user, no certificate, but nevertheless that post confused me. I already have a prefetch group and it's working great all in all, I was just thinking if there might be a way without local user, that would be even better. I was thinking somewhere along the lines of Server 2019 CA, which we have...

    I was actually evaluating the XG couple of months ago, but concluded I'm still better off with UTM.

    Right now, our UTM license is still valid. When it expires, I'll consider other solutions though, as UTM is all but dead in the water really.

    Thank you.