Hi all,
we have two XGS2300 running in active-passive-mode.
Firmware is SFOS 18.5.2 MR-2-Build380.
We have AD authentication configured and I have questions regarding the AD.
In the Sophos documentation (docs.sophos.com/.../index.html) there is this:
Specify a username for the admin user of the Active Directory server.
Does anyone know why an admin user is needed for this? I couldn't find any technical information about it.
On https://www.avanet.com/en/kb/how-to-integrate-sophos-firewall-with-active-directory/ it reads:
Specify a user who has the right to read the AD structure. In production environments we recommend to use a service user and not the domain administrator.
First configuration was done with the admin and we switched to the a service user. This was working well till we had two incidents with the authentication. In the logs I was able to see that the username didn't get send to the firewall, so internet access wasn't granted (we have a web policy for this, only user in certain AD group are allowed to access the internet).
One time we switched the active-passive firewall, the second time we deactivated the user portal on the WAN interface (there was a security issue, which got hotfixed by Sophos, but we wanted to deactive the portal). After that, authentication wasn't done correctly, no username has beent sent again.
I tried it with another non admin user but it did'nt work.
The fix we got from a consultant was to use the domain admin account for connection to AD server. We don't know why but this was working every time and connecting to the internet was possible again by the users. After the first fix we switched back to our service user and is was working till the second incident.
So does anyone encountered a similar problem? Does the firewall need write permissions to AD to work properly?
Thanks for your help, have a nice weekend and best regards
Stefan
This thread was automatically locked due to age.