Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 2339 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD SSO Authentication

adrianBromley

Hi all,

We are migrating from a UTM to XG (v18).  The UTM is in router mode (as opposed to transparent gateway mode) and all users use the proxy to access the Internet.  Authentication is setup on the proxy via AD SSO for user name identification purposes, so we can apply different policies to different AD users.  This works well (at least, as well as any proxy can, I suppose).  Clients have no additional software installed and yet authenticate silently as they start browsing - they see no pop-ups nor have to fill in any sign-in forms.

In short, can this be reproduced on the XG?   The XG has AD SSO setup and working (I can import groups and log onto the user portal with an AD account.  I see the proxy on port 3128, but see no way of applying authentication to it. I can browse using the proxy,

Thanks

Adrian



This thread was automatically locked due to age.
  • 0

    You can but the question is, should you do it. 

    XG is a "Layer8 Firewall". AD SSO in UTM is build to use Authentication for Web Traffic, This mets the requirements perfectly. ADSSO in XG uses Kerberos/NTLM (as in UTM), but the point is, you need a browser based auth. 

    Lets spin this story shortly: If your Client authenticate via Browser, each packet without the proxy will not be authenticated. So if you want to use a authenticated based firewall rule for (lets say SSH), it needs to have a browser first launched on the Client. So if you want to allow your administrators to use SSH no matter which Client they are logged in, AD SSO can be the wrong approach to your setup. If you simply want Authentication for Web based Traffic like on UTM, this is enough.


    XG has several Authentication methods on hand. Most likely the priority is to Map a IP to a Username. 

    Most customers use STAS (a small piece of software to install on AD or other servers to read the event log of each login request). 

    If you are a Endpoint customer, you can use the Heartbeat to authenticate. 

    For AD SSO (Kerberos/NTLM), you need to check certain things. https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/AuthenticationTurnOnKerberos.html?hl=kerberos

  • 0 in reply to LuCar Toni

    Hi LuCar,

    That's great information.  You are right - we want identification, not necessarily authentication (that restricts people from using the Internet until they have  signed in).

    I will read the link and experiment.  If I have another question, perhaps I could come back to you.

    Thanks

    Adrian