Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 27 subscribers
  • Views 1887 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active Directory Authentication with XG failing.

Ronald Chinomona1

I have two Sophos XG's both XG 230's and one Active Directory server. I have tried to integrate both XG's to the the AD server using the exact same parameter's. On one XG the integration is successful but the other refuses. It throws an error,  Test connection failed as server is down or unreachable. The AD server and the XG that is failing are in two different physical locations and there is a site to site VPN between the locations. The two subnets can communicate very well as I am actually logged into the AD server which is at the other side of the tunnel. Please let me know if there is something that I am missing or something that I should look at. I have turned off Windows Defender on the server. I am pretty sure there isn't any problem with the AD server because my second XG is connecting to it well. 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Ronald Chinomona1

    Please check with Connection security as Plain Text on AD integration under  CONFIGURE--->Authentication > Servers

    Configure the branch office Sophos Firewall to prompt VPN traffic for authentication
    By default, Sophos Firewall prompts unauthenticated traffic for clientless SSO from the LAN/DMZ zone. Since STAS at the head office serves login requests from the branch office over VPN, you must configure the branch office Sophos Firewall to prompt the sign-in requests.

    Sign in to the command line using Telnet or SSH. You can also access it from admin > Console in the upper-right corner of the web admin console.
    Choose option 4. Device Console.
    Run the following command to add the branch office network to STAS.

    system auth cta vpnzonenetwork add source-network 172.50.50.0 netmask 255.255.255.0

    Note

    Administration > Device Access > Local Service ACL > Client Authentication must be turned on for the VPN zone.

    Routing Sophos Firewall-initiated traffic
    Add an IPsec route at the Branch Office and apply a Source NAT policy on its Sophos Firewall-initiated traffic so that its source IP address is internal:


    console> system ipsec_route add host <IP Address of host> tunnelname <tunnel>

    Run the command below to NAT the Sophos Firewall traffic to the desired public IP with the private LAN IP:

    set advanced-firewall sys-traffic-nat add destination <Destination IP/Network> snatip <NATed IP>

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0

    Hi Ronald Chinomona1

    Please check with Connection security as Plain Text on AD integration under  CONFIGURE--->Authentication > Servers

    Configure the branch office Sophos Firewall to prompt VPN traffic for authentication
    By default, Sophos Firewall prompts unauthenticated traffic for clientless SSO from the LAN/DMZ zone. Since STAS at the head office serves login requests from the branch office over VPN, you must configure the branch office Sophos Firewall to prompt the sign-in requests.

    Sign in to the command line using Telnet or SSH. You can also access it from admin > Console in the upper-right corner of the web admin console.
    Choose option 4. Device Console.
    Run the following command to add the branch office network to STAS.

    system auth cta vpnzonenetwork add source-network 172.50.50.0 netmask 255.255.255.0

    Note

    Administration > Device Access > Local Service ACL > Client Authentication must be turned on for the VPN zone.

    Routing Sophos Firewall-initiated traffic
    Add an IPsec route at the Branch Office and apply a Source NAT policy on its Sophos Firewall-initiated traffic so that its source IP address is internal:


    console> system ipsec_route add host <IP Address of host> tunnelname <tunnel>

    Run the command below to NAT the Sophos Firewall traffic to the desired public IP with the private LAN IP:

    set advanced-firewall sys-traffic-nat add destination <Destination IP/Network> snatip <NATed IP>

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?