Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 17 replies
  • Subscribers 4 subscribers
  • Views 4895 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM SSL VPN profile ignoring ActiveDirectory users

bunkerjambe

Hello, I'm new here but did not find any issue like mine so I decided to give it a chance Slight smile

I'm taking over a Sophos UTM (standby cluster) integrated with ActiveDirectory (authentication server, SSO).
Software is 9.705-3 on Sophos HW SG550

AD users are able to login to the portal and also the users are created within the UTM as expected.
Currently there is one SSL VPN Profile (Group "Active Directory Users") which enables all AD users to connect - that is working fine.

We now wanted to create AD Groups to control a little bit "who" is able to login and with which profile (there are lot of how to's).
Thats where our issue starts but I didn't find a solution anywhere.

Issue is that the new groups are totally ignored and removing this "Active Directory Users" Group results in no one being able to connect anymore.

Debug steps I did already:
* Authentication Servers are setup and working - test with my user shows "Passed" and gives me all UTM groups I'm member of - also the mentioned VPN groups I've created and used in the SSL VPN profiles.
* Adding my UTM user (backend authenticated) directly also has no effect at all
* Sophos support didn't find a solution for this so far (we started a case months ago but did not follow up anymore - will have to restart this)

My current guess is, that there is some kind of Bug with our configuration.
One thing which "might" cause it is, that we have two AD servers but four authentication backend servers defined... two per server with different base-OUs as we are in the middle of a migration - so users and groups are in different base-OUs currently - but I guess thats no correct.
The plan would be either to move everything into the same base-OU, or set the base-OU to the domain root anyways but does anyone know if this could cause the issue we are facing?
There is also an no more used radius backend.

I've already tested it with a group being in the same bsae-OU than the user but that didn't work either.

I thought at least adding my AD cloned user to another profile directly will result in some reconnect with combined routes but it just did nothing.
Doing this with a local user (locally authenticated) results in the expected behavior.

Summary:
* Groups are working
* Users can authenticate (portal, test auth)
* Groups can be found by UTM and users are shown as members of the groups (test auth)
* Users can use VPN (are member of the not limited AD backend Group)

Issue => AD backend users are ignored in the SSL VPN profile config when used directly or via limited AD backend groups.

Thank you for your ideas - if I need to provide any further information, I will try to do so.



This thread was automatically locked due to age.
  • 0 in reply to RemoHehlert

    First I've tried to put all groups together and prefetch them in one job... did not work with any of the groups. Now I tried to split it (put into another base-ou and therefor had to change the prefetch DC object) but no change.

    Enable backend sync on login I have not tried yet...can test it but this normally just changes the "background sync" option in the user object... and if I enable it for my user, it doesn't change anything. Therefor I think its not changing anything.

    I see, its a challanging issue :D but anyways thanks alot for trying to help!

  • 0 in reply to bunkerjambe

    How many Groups do you have to prefetch?

  • 0 in reply to RemoHehlert

    Also a nother try is use not the string "-" for the Groupname. I using for all my groups "_". But that's olny a trie. Somtime - makes trouble.

  • 0 in reply to RemoHehlert

    There are 5 Grouos in total with 687 users. (Meanwhile the sophos has over 2k user objects with related network objects and certificates ... we need to clean that soon too).

    I've tried your good idea with removing the "-" ... have removed it in AD and in the Sophos (Group and prefetch) but no change here. Still not working. I mean it should do anything when putting my user directly inside the profile but even this is not working.

    Begin of Feb. we will change the authentication server configuration to only have 2 servers with identical Base-OU. Maybe it works afterwards.

  • 0 in reply to bunkerjambe

    Is this a domain trust issue?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob, the connected AD is a single domain, no forest (if that is meant by your question).
    And AD groups are working fine in WebAdmin for example.

    Not sure if there is a logfile somewhere on the system which could contain any information on "why remote authenticated userobjects are ignored" in SSL VPN Profiles.

    To make it clear: If I use the AD backend group, which is ignored in SSL VPN profiles, in the WebAdmin "Allowed Administrators", then the AD users inside this AD group can login into WebAdmin. It has just no effect in the SSL VPN profiles.

  • +1 in reply to bunkerjambe

    Finally I found a solution for our issue - removing the additional auth servers and just keep our two AD servers with one BaseOU fixed the issue.
    I've also changed the OU for the Groups then and adjusted the prefetch.

    Now, the AD groups are respected in the SSL Profiles and we could remove the "Active Directory Users" group.

    Thank you anyways for all ideas BAlfson and RemoHehlert

Unfiltered HTML