Machines from the filia company do not authenticate to the domain controller over the VPN.

Hi IvanildoGalvão,

Thank you for reaching out to the Community! 

Have you configured the SNAT rule for the system traffic on the BO firewall as per the following KBA?

• Sophos XG Firewall: How to allow branch office users to authenticate with the head office Active Directory Server

Thanks,

I performed these actions:

connsole> system ipsec_route add host 192.168.7.1 tunnelname IPSEC_Matriz

console> set advanced-firewall sys-traffic-nat add destination 192.168.7.1 snatip 192.168.6.254

192.168.6.254 is IP address of XG Branch Office.

The branch office machines can open files on the domain controller server qur is in the main office, can access for example \\192.168.7.1\c$, can ping, can also query DNS correctly, but can not join the domain.

Now a strange thing I noticed, is that the domain has no FQDN name, just simple name 'VCL', that is, wrong in my opinion, when it comes to an Active Directory domain.

But it was working when the customer was using two Endian firewalls, with OpenVPN Site-to-Site.

Do I need to integrate Sophos XG from branch office to domain using STAS ?

Hi IvanildoGalvão,

The configuration setup that you're trying to implement isn't usual. I'd suggest you contact Sophos Professional Services for specific requirements regarding your environment or contact the Sophos Sales team for POC. 

• Professional Services
• How to contact your sales team

Thanks,