This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best Practice for defining AD Authentication Servers

I actually have two questions related to backend AD Authentication and web protection on a Sophos UTM 9 version 9.411-3

We recently had an issue with our Primary AD controller (DC1) which prevented users from authenticating and getting through the web protection. AD Authentication is required. Of course, we do have a secondary AD controller (DC2) but that was never defined in Authentication Services > Servers. I did go back into Authentication Services > Servers and I added DC2 but was not sure if that was the correct method to insure HA for backend authentication. DC1 was put back into service before I could determine if DC2 had taken over on the Sophos UTM 9. If I have two servers defined for the same domain will each be used for authentication should one fail? Is the order that they are listed important?

Second question is related to dynamic group membership (AD). I have two primary groups setup for web filtering back on the domain controllers - filtered_web_access and unlimited_web_access (for example - CN=filtered_web_access,CN=Users,DC=corp,DC=XXXXMYDOMAINXXXX,DC=com). I also have Enable AD group membership background sync checked. My question is - how do I see from the Sophos UTM point of view who is a member of those groups. I have been unable to find a GUI interface that displays that. Maybe a console command is available?



This thread was automatically locked due to age.
  • Kipland, you might want to check out Configuring HTTP/S proxy access with AD SSO and #6 in Rulz.  It sounds like you've already taken the thoughts in those into account.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks, Bob. I have read that and it really only talks about authenticating to a single domain controller. I also read Rulz several times in the past and again just now. Great info for someone like me since this is the only Sophos with all subscriptions used in a backoffice environment that I have configured. I have others but only used in datacenters with Linux behind them. No web proxy, no email proxy, no AD SSO. This is a new adventure for me. Appreciate your response.

  • answer1:

    creating two authentication servers with 2 DC's is an option. But one authentication error counts 2 times within AD.

    Currently i prefer a availability group containing boot DC's and LDAP port as test.

    answer2:

    first ... check best practice (and rulz) from bob.

    testing the group membership is possible within authentication-server definition.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • dirkkotte said:
    Currently i prefer a availability group containing boot DC's and LDAP port as test

    Ah - yes. I was thinking about using an availability group since it's pretty much the same as DNS best practice. I will need to look deeper into testing the group membership.

  • Just to followup and describe what my final configuration is.

    1. Defined the Availability Group with TCP:389 monitoring ...

    2. Defined (updated) the Authentication server ...

    Running the two tests as shown in the screenshot, above, proved successful. I won't know if this really works without bringing down DC1 or temporarily disconnecting it.