Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 26 subscribers
  • Views 3728 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active Directory Authentication across a WAN - using external WAN IP

Drobo

Hello,

I'm trying to set-up my XG to authenticate across a WAN to a clients Active Directory server so they can use SSLVPN with AD authentication. Our sites are connected with an MPLS WAN.

I have setup the connection, when I attempt go to test the connection it fails.

tail -f access_server.log

adsauth_bind: bind failed: Can't contact LDAP server

adsauth_test_auth: '192.168.20.12:389': bind failed for user: 'DOMAIN\Administrator'

 

Looking at the connection list, I can see the traffic is leaving my XG using the external WAN IP of my firewall. The traffic doesn't hit a firewall rule.

I think I need some sort of NAT rule, but I'm not sure if that would trigger before the traffic is sent. Also what sort of NAT rule do I need. So far any firewall rules I have tried to make don't work as they aren't triggered for this traffic.

 

in Interface     out interface           Source IP       Destination IP     Protocol  Application Name   Source Port  Destination Port   Rule ID

    -                     Port2                220.201.xxx.xxx   192.168.20.12           TCP       No Information       36863                   389                  No Rule

 

Any Idea's on how I resolve this issue?

Thank you

 

 



This thread was automatically locked due to age.
Parents
  • 0

    I have logged this issue with Sophos Support, they responded with the wrong information and won't respond to me again. It's been 5 days now.

    How do I get back on to the support ticketing site, I have the ID No#. All I can find is the Submit a ticket.

Reply
  • 0

    I have logged this issue with Sophos Support, they responded with the wrong information and won't respond to me again. It's been 5 days now.

    How do I get back on to the support ticketing site, I have the ID No#. All I can find is the Submit a ticket.

Children
  • 0 in reply to Drobo

    To anyone having this issue in the future, I have found the NAT rule required to solve this.

    https://community.sophos.com/kb/en-us/122999

     

    Before NAT rule applied

    in Interface     out interface           Source IP       Destination IP     Protocol  Application Name   Source Port  Destination Port   Rule ID    Translated Source

        -                     Port2                220.201.xxx.xxx   192.168.20.12           TCP       No Information       36863                   389                  No Rule        -

     

    After NAT rule applied

    set advanced-firewall sys-traffic-nat add destination 192.168.20.12 snatip 192.168.1.254

    in Interface     out interface           Source IP       Destination IP     Protocol  Application Name   Source Port  Destination Port   Rule ID    Translated Source

        -                     Port2                220.201.xxx.xxx   192.168.20.12           TCP       No Information       36863                   389                  No Rule        192.168.1.254