Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 27 subscribers
  • Views 1885 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active Directory Authentication with XG failing.

Ronald Chinomona1

I have two Sophos XG's both XG 230's and one Active Directory server. I have tried to integrate both XG's to the the AD server using the exact same parameter's. On one XG the integration is successful but the other refuses. It throws an error,  Test connection failed as server is down or unreachable. The AD server and the XG that is failing are in two different physical locations and there is a site to site VPN between the locations. The two subnets can communicate very well as I am actually logged into the AD server which is at the other side of the tunnel. Please let me know if there is something that I am missing or something that I should look at. I have turned off Windows Defender on the server. I am pretty sure there isn't any problem with the AD server because my second XG is connecting to it well. 



This thread was automatically locked due to age.
  • 0

    Hi Ronald Chinomona1

    Please check with Connection security as Plain Text on AD integration under  CONFIGURE--->Authentication > Servers

    Configure the branch office Sophos Firewall to prompt VPN traffic for authentication
    By default, Sophos Firewall prompts unauthenticated traffic for clientless SSO from the LAN/DMZ zone. Since STAS at the head office serves login requests from the branch office over VPN, you must configure the branch office Sophos Firewall to prompt the sign-in requests.

    Sign in to the command line using Telnet or SSH. You can also access it from admin > Console in the upper-right corner of the web admin console.
    Choose option 4. Device Console.
    Run the following command to add the branch office network to STAS.

    system auth cta vpnzonenetwork add source-network 172.50.50.0 netmask 255.255.255.0

    Note

    Administration > Device Access > Local Service ACL > Client Authentication must be turned on for the VPN zone.

    Routing Sophos Firewall-initiated traffic
    Add an IPsec route at the Branch Office and apply a Source NAT policy on its Sophos Firewall-initiated traffic so that its source IP address is internal:


    console> system ipsec_route add host <IP Address of host> tunnelname <tunnel>

    Run the command below to NAT the Sophos Firewall traffic to the desired public IP with the private LAN IP:

    set advanced-firewall sys-traffic-nat add destination <Destination IP/Network> snatip <NATed IP>

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Hi  Thank you for reaching out to the Sophos community team. Probably the XG for which the AD test connection is failing may be missing the below settings:

    Route Sophos Firewall-initiated traffic through an IPSec VPN tunnel

    https://support.sophos.com/support/s/article/KB-000035839?language=en_US

    If settings have been already done, you may capture the Packet capture from GUI, TCPDUMP on XG CLI, and Conntrack from the non-working location XG end during test connection time to validate it further.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0

    Hello and Thank you for your responses which are somewhat similar. I have added an IPsec route at the Branch Office and applied a Source NAT policy. I have reviewed the logs in the XG at the  Head Office and I noticed that the XG actually processes the traffic but drops it as IP Spoofing. Why would the XG treat the AD connection traffic coming through an IPSEC tunnel as IP spoofing. The source address is the LAN IP of the XG at the the branch office and the destination is the IP of AD server on Port 389. I have attached a picture of my topology.

  • 0 in reply to Ronald Chinomona1

    Hi Ronald Chinomona1 

    Please go to PROTECT --->Intrusion Prevention -->Dos and Spoof Prevention and disable the Spoof prevention under Spoof protection general settings and check ?

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    I have no Spoof Prevention enabled for any zone.

  • 0 in reply to Ronald Chinomona1

    Hi Ronald Chinomona1 

    Please check AD settings with Connection security with Plain and SSL /TLS and check the status?

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    I have plain text connection security and port 389 configured. The exact same setting work well on another XG that sits in the same LAN with the AD server.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?