by
Etienne Liebetrau
Almost all enterprises use Windows Active Directory as their authentication store. Any non-Windows system that would like to Integrate into such an environment needs to be configured to interact with the relevant Active Directory servers and services.
In this article we are going to step through the process of integrating Sophos UTM and Active Directory using the Active Directory Single Sign On feature. We will join a Sophos UTM device to a Windows Domain and define policies for certain Active Directory groups and users.
Before a device can be joined to a domain, it needs to be able to resolve the relevant domain services. Sophos UTM can be configured to use various DNS configurations, but typically, there are only two main requirements. Resolve all internal DNS queries using an internal DNS server, and for all other queries, resolve them using an external/public DNS server.
By default during the installation wizard a DNS forwarder is created. This can be any public DNS server such as Google’s 8.8.8.8 or 8.8.4.4. If the installation wizard did not create one, add a DNS forwarder that points to a public DNS server.
This configuration will now send all DNS queries for the internal domain to your internal DNS server while sending all other DNS queries directly to the external public DNS servers.
This should resolve the public DNS record from your public DNS server.
Repeat the process, but this time specify your own internal domain.
You should now see that external names resolve externally and internal names resolve internally.
This is taken directly from the Sophos UTM management interface.
To activate Single-Sign-On functionality, the system must join the Active Directory domain. Enter the domain name (e.g. ’intranet.yourcompany.com’) of the domain you wish to join, as well as the credentials of an admin user who is allowed to add computers to that domain.
To join Sophos UTM to your Windows domain:
The join might take a minute or two. Green text will briefly display indicating a successful join. The Status line will also reflect that the Sophos UTM has joined the domain. If you like to double check you can also look for the object in Active Directory. It will be registered as a computer object similar to a domain joined PC.
In this step we will specify which Active Directory servers the Sophos UTM can use to query for groups, membership and also authenticate the user.
In order to do this, you need to know the distinguishedName (BIND DN) of the AD user account you are using for Sophos UTM.
Firstly, find the canonical name of the user account you want to use for Sophos UTM
Now we can retrieve the distinguishedName for the account using ADSI Edit.
If successful, you should get a small pop up saying "Server test passes". If not, please revise the steps above until the test succeeds.
The Base DN is the base from which user objects will be queried. The less specific, the larger the scope will be for the object to be searched.
You can and should repeat this process for additional AD servers. Using the clone button makes it easy to retain the settings.
Sophos UTM can apply policies and rules to users or groups. These groups are however local groups to the Sophos UTM.
The Sophos UTM groups can determine its members by referencing an Active Directory group. I have found it makes administration much easier to simply match the names of the Sophos UTM Groups to the names of the AD Groups. This is purely a naming convention and not required.
To create a Sophos UTM group:
Repeat this process until you have all the groups that you want to use. Note: You can also add multiple Active Directory groups into a single Sophos UTM group.
Now that the Active Directory Integrated groups have been created you can use them in your Sophos UTM policies.
To configure the forward proxy to use these groups you need to do the following.
Domain joined Windows and Apple Mac OSX machines should now be able to use the proxy without being queried for credentials. You can verify this by checking the Live Log. Look for the user= field.
Authenticated user credentials are logged by Sophos UTM and can be viewed in the on-box reports. Unfortunately, the user account name can sometimes be a non-intuitive number such as a employee id, staff number or abbreviations.
Fastvue Sophos Reporter solves this problem by mapping the user account back to the user's display name in Active Directory. Sophos Reporter also uses other Active Directory attributes such as 'department' to enable reporting by Department, Offices and Companies.
Integrating Sophos UTM with Active Directory is very simple and offers a range of benefits such as the ability to create user or group-based policies.
Web traffic is also logged with the authenticated username, allowing you to generate and distribute web activity reports for users and departments using Fastvue Sophos Reporter.
If you have any questions, please let me know in the comments!
Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.
How to Enable Dark Mode in Fortinet FortiGate (FortiOS 7.0)
Sophos XG - How to Block Searches and URLs with Specific Keywords