UTM SSL VPN profile ignoring ActiveDirectory users

Hello, I'm new here but did not find any issue like mine so I decided to give it a chance Slight smile

I'm taking over a Sophos UTM (standby cluster) integrated with ActiveDirectory (authentication server, SSO).
Software is 9.705-3 on Sophos HW SG550

AD users are able to login to the portal and also the users are created within the UTM as expected.
Currently there is one SSL VPN Profile (Group "Active Directory Users") which enables all AD users to connect - that is working fine.

We now wanted to create AD Groups to control a little bit "who" is able to login and with which profile (there are lot of how to's).
Thats where our issue starts but I didn't find a solution anywhere.

Issue is that the new groups are totally ignored and removing this "Active Directory Users" Group results in no one being able to connect anymore.

Debug steps I did already:
* Authentication Servers are setup and working - test with my user shows "Passed" and gives me all UTM groups I'm member of - also the mentioned VPN groups I've created and used in the SSL VPN profiles.
* Adding my UTM user (backend authenticated) directly also has no effect at all
* Sophos support didn't find a solution for this so far (we started a case months ago but did not follow up anymore - will have to restart this)

My current guess is, that there is some kind of Bug with our configuration.
One thing which "might" cause it is, that we have two AD servers but four authentication backend servers defined... two per server with different base-OUs as we are in the middle of a migration - so users and groups are in different base-OUs currently - but I guess thats no correct.
The plan would be either to move everything into the same base-OU, or set the base-OU to the domain root anyways but does anyone know if this could cause the issue we are facing?
There is also an no more used radius backend.

I've already tested it with a group being in the same bsae-OU than the user but that didn't work either.

I thought at least adding my AD cloned user to another profile directly will result in some reconnect with combined routes but it just did nothing.
Doing this with a local user (locally authenticated) results in the expected behavior.

* Groups are working
* Users can authenticate (portal, test auth)
* Groups can be found by UTM and users are shown as members of the groups (test auth)
* Users can use VPN (are member of the not limited AD backend Group)

Issue => AD backend users are ignored in the SSL VPN profile config when used directly or via limited AD backend groups.

Thank you for your ideas - if I need to provide any further information, I will try to do so.

  • Hi and thank you for your reply.

    Sure, what information are you looking for?

    A user looks like this...information are coming from AD. For some reason the "Backend sync" checkbox always unchecks itself.

    The user is for example in such a backend group:

    And during a test authentication of my user, it shows this:

    The "SplitVPN Test" was a pure local group with fixed members (my autocreated AD user is inside).
    The "VPN-SplitPOC" is the backend group,

    And a SSL VPN profile looks for example like this:

    Here I put my local group, my backend group and my AD user inside - but its completely ignored...also the downloadable profile file does not change.

    Only the SSL VPN profile with the "Active Directory Users" applies (AD Backend group without limited group membership).

    One thing I forgot to mention: The AD Groups are prefetched daily too.

    And to show what I mean with the same auth servers, different base OUs/path:

    Here I guess depending on which one is chosen it works or not... but users are in the one with base-OU Group - so currently no issue authenticating users.

  • That one looks good, pls. give us some more example from Authenticationservices / Advanced Tab especially the last two settings

  • This Object unused ist normal!

    Why is the Firewall Profile not activated? Pls activate it on SSL Profle.

    What about your License Do you have a Home License or payed one?

    Are your sure that all your DC Connection are working?

    What is if you put your AD-User to the VPN-Prifile, is that one working?

    • We have created our own firewall rules to allow only some ports, not full access to all networks. Thats working perfectly.
    • We have the payed full-guard license (everything included)
    • All DomainController connections are working, yes - but as mentioned some contain the users and some only groups (that is my guess to cause the trouble) but even if everything is under one AD server object, it doesn't work currently.
    • If I put my AD user in (mentioned earlier) also nothing happens...its ignoring it like the group.

    As said, even the support could not find the issue why the AD groups are ignored here while they are working fine for WebAdmin-Access for example. Here we also use a AD backend group to give WebAdmin-Access only to some AD users.

  • two other things, mybe I'm wrong.

    you have to DC called dc01, one have a lot of groups the other one only one group, the group which one is not working.

    What's happen if you put all groups to the DC01 which has already all groups or is that a different domain?

    Also whats happend if you enable "Enable backend sync on login"?

  • First I've tried to put all groups together and prefetch them in one job... did not work with any of the groups. Now I tried to split it (put into another base-ou and therefor had to change the prefetch DC object) but no change.

    Enable backend sync on login I have not tried yet...can test it but this normally just changes the "background sync" option in the user object... and if I enable it for my user, it doesn't change anything. Therefor I think its not changing anything.

    I see, its a challanging issue :D but anyways thanks alot for trying to help!

  • How many Groups do you have to prefetch?

  • Also a nother try is use not the string "-" for the Groupname. I using for all my groups "_". But that's olny a trie. Somtime - makes trouble.

  • There are 5 Grouos in total with 687 users. (Meanwhile the sophos has over 2k user objects with related network objects and certificates ... we need to clean that soon too).

    I've tried your good idea with removing the "-" ... have removed it in AD and in the Sophos (Group and prefetch) but no change here. Still not working. I mean it should do anything when putting my user directly inside the profile but even this is not working.

    Begin of Feb. we will change the authentication server configuration to only have 2 servers with identical Base-OU. Maybe it works afterwards.

  • Is this a domain trust issue?

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, the connected AD is a single domain, no forest (if that is meant by your question).
    And AD groups are working fine in WebAdmin for example.

    Not sure if there is a logfile somewhere on the system which could contain any information on "why remote authenticated userobjects are ignored" in SSL VPN Profiles.

    To make it clear: If I use the AD backend group, which is ignored in SSL VPN profiles, in the WebAdmin "Allowed Administrators", then the AD users inside this AD group can login into WebAdmin. It has just no effect in the SSL VPN profiles.

  • Finally I found a solution for our issue - removing the additional auth servers and just keep our two AD servers with one BaseOU fixed the issue.
    I've also changed the OU for the Groups then and adjusted the prefetch.

    Now, the AD groups are respected in the SSL Profiles and we could remove the "Active Directory Users" group.

    Thank you anyways for all ideas BAlfson and RemoHehlert

Reply Children
No Data