Sophos XGS and AD sync

Hi Manu_Mathew : Thank you for reaching out to the Sophos community team.

1)The users which you have disabled on AD, the same users have been disabled on XG inside user sections as well manually? if not then please disable the same and confirm the status.

Step: to Authentication > Users > Select User > Click Change status.

2) For point 2 below is the suggestion that you may check and try if that one fulfills your actual requirement:

Once you integrate AD, any active AD user will be able to authenticate over XG. To limit the Internet request for an unwanted group please ensure that no matching rule there in the firewall rule to allow Internet for that user group OR if the matching rule is there for that group then please ensure that the rule action selection drop to prevent Internet traffic. 

2) For point 2 below is the suggestion that you may check and try if that one fulfills your actual requirement:

Once you integrate AD, any active AD user will be able to authenticate over XG. To limit the Internet request for an unwanted group please ensure that no matching rule there in the firewall rule to allow Internet for that user group OR if the matching rule is there for that group then please ensure that the rule action selection drop to prevent Internet traffic. 

Comment: Yes traffic is blocked for unwanted users as their group is not part of allowed one's

However what we need is - Users  to be told by a message they dont have access at the captive portal level rather than users signing in and later  finding it out.  Is that a feature request ?

1)The users which you have disabled on AD, the same users have been disabled on XG inside user sections as well manually? if not then please disable the same and confirm the status.

Step: to Authentication > Users > Select User > Click Change status.

Comment: Is there any way to automate this one rather than manual. As customer needs to disable few users on a daily basis and enable it back.  i was under the impression that XG will make a request to AD when a user makes  a request for authentication[ FYI- there is no STAS involved ]

There is no sync with AD in any period of time.

Instead the data will be fetched by each and every login. So to speak, if you disable a user, the user should not be able to use any facility anymore in SFOS as well, as AD should deny the request.

Please verify, you do not have "local" activated on authentication - services. This would mean, SFOS is using the local cred store as well. 

There is no sync with AD in any period of time.

Instead the data will be fetched by each and every login. So to speak, if you disable a user, the user should not be able to use any facility anymore in SFOS as well, as AD should deny the request.

Please verify, you do not have "local" activated on authentication - services. This would mean, SFOS is using the local cred store as well. 

Thanks Lucar,  i think the problem is caused as 'local'  is activated. However  we have few users created locally and i guess  those users wont be able to authenticate once local is deactivated. ? 

I would rethink the approach to mix local and AD based. Simply because local was intended to be for the "ADless" customer. To do an extra management there is rather off.