UTM SSL VPN profile ignoring ActiveDirectory users

Hello, I'm new here but did not find any issue like mine so I decided to give it a chance Slight smile

I'm taking over a Sophos UTM (standby cluster) integrated with ActiveDirectory (authentication server, SSO).
Software is 9.705-3 on Sophos HW SG550

AD users are able to login to the portal and also the users are created within the UTM as expected.
Currently there is one SSL VPN Profile (Group "Active Directory Users") which enables all AD users to connect - that is working fine.

We now wanted to create AD Groups to control a little bit "who" is able to login and with which profile (there are lot of how to's).
Thats where our issue starts but I didn't find a solution anywhere.

Issue is that the new groups are totally ignored and removing this "Active Directory Users" Group results in no one being able to connect anymore.

Debug steps I did already:
* Authentication Servers are setup and working - test with my user shows "Passed" and gives me all UTM groups I'm member of - also the mentioned VPN groups I've created and used in the SSL VPN profiles.
* Adding my UTM user (backend authenticated) directly also has no effect at all
* Sophos support didn't find a solution for this so far (we started a case months ago but did not follow up anymore - will have to restart this)

My current guess is, that there is some kind of Bug with our configuration.
One thing which "might" cause it is, that we have two AD servers but four authentication backend servers defined... two per server with different base-OUs as we are in the middle of a migration - so users and groups are in different base-OUs currently - but I guess thats no correct.
The plan would be either to move everything into the same base-OU, or set the base-OU to the domain root anyways but does anyone know if this could cause the issue we are facing?
There is also an no more used radius backend.

I've already tested it with a group being in the same bsae-OU than the user but that didn't work either.

I thought at least adding my AD cloned user to another profile directly will result in some reconnect with combined routes but it just did nothing.
Doing this with a local user (locally authenticated) results in the expected behavior.

Summary:
* Groups are working
* Users can authenticate (portal, test auth)
* Groups can be found by UTM and users are shown as members of the groups (test auth)
* Users can use VPN (are member of the not limited AD backend Group)

Issue => AD backend users are ignored in the SSL VPN profile config when used directly or via limited AD backend groups.

Thank you for your ideas - if I need to provide any further information, I will try to do so.

  • pls. show pictures of definition & user / User and groups and Groups

    also a ssl-vpn profile

    greetings from DE

    TBC

  • Hi and thank you for your reply.

    Sure, what information are you looking for?

    A user looks like this...information are coming from AD. For some reason the "Backend sync" checkbox always unchecks itself.

    The user is for example in such a backend group:

    And during a test authentication of my user, it shows this:

    The "SplitVPN Test" was a pure local group with fixed members (my autocreated AD user is inside).
    The "VPN-SplitPOC" is the backend group,

    And a SSL VPN profile looks for example like this:

    Here I put my local group, my backend group and my AD user inside - but its completely ignored...also the downloadable profile file does not change.

    Only the SSL VPN profile with the "Active Directory Users" applies (AD Backend group without limited group membership).

    One thing I forgot to mention: The AD Groups are prefetched daily too.

    And to show what I mean with the same auth servers, different base OUs/path:

    Here I guess depending on which one is chosen it works or not... but users are in the one with base-OU Group - so currently no issue authenticating users.

  • That one looks good, pls. give us some more example from Authenticationservices / Advanced Tab especially the last two settings

  • Sure, happy to provide more Slight smile

    Settings are like this:

    SSO background sync is enabled and one of the DCs has a scheduled prefetch active (which has the groups within the base-OU):

    Prefetch log looks clean and its updating/creating users found in these groups...

  • If i see that right the group "VPN-SplitVPNPOC" under ou=Groups,ou=Group are not in the list "Prefetch Directory Users".

    Pls. add the Group "VPN-SplitVPNPOC" to the list and sync again.

    After that pls. try again.

  • It is but prefetched from another DC object (since I've moved it under another base-ou to be together with the user object) ...sorry, forgot to post that image too...

    And I'm also part of other VPN groups like "VPN-Internal..." which is also prefetched.
    So the Firewall is well aware of my group memberships.

    Maybe something interesting: Info of my Userobject and where it is "used"


    Here you can see that prefetch is modifying my user and that I am in multiple groups.
    But I see following issue : Group "VPN-SplitPOC" is shown as unused...but its clearly inserted in the SSL VPN profile.
    And also VPN-Internal-XXX is used in another SSL VPN profile...but not shown as "used" here (but in Client Authentication its shown).

  • At least on group level it shows as "used in SSL"

    And also AD backend groups are working well in other areas like webadmin access...so the issue seems to be limited to the remote access or SSL area.

  • This Object unused ist normal!

    Why is the Firewall Profile not activated? Pls activate it on SSL Profle.

    What about your License Do you have a Home License or payed one?

    Are your sure that all your DC Connection are working?

    What is if you put your AD-User to the VPN-Prifile, is that one working?

    • We have created our own firewall rules to allow only some ports, not full access to all networks. Thats working perfectly.
    • We have the payed full-guard license (everything included)
    • All DomainController connections are working, yes - but as mentioned some contain the users and some only groups (that is my guess to cause the trouble) but even if everything is under one AD server object, it doesn't work currently.
    • If I put my AD user in (mentioned earlier) also nothing happens...its ignoring it like the group.

    As said, even the support could not find the issue why the AD groups are ignored here while they are working fine for WebAdmin-Access for example. Here we also use a AD backend group to give WebAdmin-Access only to some AD users.

  • two other things, mybe I'm wrong.

    you have to DC called dc01, one have a lot of groups the other one only one group, the group which one is not working.

    What's happen if you put all groups to the DC01 which has already all groups or is that a different domain?

    Also whats happend if you enable "Enable backend sync on login"?