Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 1147 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG User authentication by AD SSO

Dennis Groppe

Hi everybody,

I configured a new XG310 at our company and I have one topic left which I do not understand properly.

Before, we had a SG 310 with a webfilter based on about 10 different configuration for 10 Active Directory-groups. The users were members in the corresponding AD group and the groups were synchronised by the SG. Nearly every collegue has an own Win10-PC with the web proxy configured in "internet settings" / Internet Explorer. When the collegues startet websurfing, the matching webfilter-rules were applied and you could see 'their' URL in the webfilter protocol.

Now I thought I could do the same with the Sophos XG, using these instructions:

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/ConfigureKerberosAuthentication.html

I did these steps, but users are never authenticated by just websurfing. I only have those users on the XG with have a SSLVPN-profile, too - and were generated by using the user portal for the first time.

Do I have to configure my 'access to internet' firewall roles to respectively match respectively query specific usergroup for this to work? Or do I have to STAS in any case for this scenario with the webfilter rules based on AD-group membership to work in XG?

Thank you for any advice!!



This thread was automatically locked due to age.
  • +1

    AD SSO (like UTM did it) was most likely build for Web based authentication only. It has some significant disadvantages to STAS and other techniques, as it highly rely on webbased authentication requests. So if you want to use firewall rules with user based auths, i would recommend to look into STAS. STAS and Synchronized User ID (Endpoint) gets the request on the first login request of the client compared to the browser based auth. 

    For UTM, this was sufficient, as admins only used AD SSO for web anyway. But in SFOS, you can use auth for firewall rules etc. Examples like: Admin group can use SSH to my servers are possible. 

  • 0 in reply to LuCar Toni

    Thanks again for your assessment, LuCar Toni! Slight smile

    I just activated STAS and it seems to do what I want. Very nice!