Validate Server Certificate

Hello Christopher Kurdian ,

Thank you for reaching out to the community, please refer the following article - Sophos Firewall: A Quick Guide for LDAPS/AD Integration With Windows Server 2022/2019/2012… 

Thanks for your prompt response. Unfortunately, it doesn't answer my questions. ldp.exe seems to be superseded as well. Can't find it anywhere. Regardless going through the documentation steps as best I could I concluded my setup is working.

However as mentions above, my "Validate Server Certificate" fails. 

"What is the firewall doing here, which server is down or unreachable? Is it my Root CA server that is in active directory? Or is it the domain controller? (CA is install on a Domain Member, not on the domain controller)"

Some insight into this would be greatly appreciated.

Thanks again for the prompt reply. 

Question: And what if you untick the option "validate server certificate." and then click on the  test connection ?

Answer: I get the Green, Device - AD server connectivity test successful

I can authenticate through Active directory fine.

Thanks, I will try what you suggested above tonight and see how I go and report back.

Much appreciated.

Good Afternoone Vivek,

Probably want to tell people they need to change path with those instructions

Logs show the following.

Hmmmm, hostname does not match CN in peer certificate???

So, I have removed my root ca from active directory (Following these steps, successfully Remove CA from Active Directory • Nolabnoparty) Will follow your instructions for installing a root CA and see how I go. Sophos Firewall: A Quick Guide for LDAPS/AD Integration With Windows Server 2022/2019/2012… - Recommended Reads - Sophos Firewall - Sophos Community. Hopefully this fixes the issue. Will post back later on how I went.

Thank you for the update Christopher Kurdian 

Ok No Luck, there must be a step missing??

I can connect and authenticate without "Validate server certificate" Ticked. Once Ticked I get the error message below as before.

ldp can be run on the Active Directory

ld = ldap_sslinit("localhost", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to localhost.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)

Are you using any external certificate on your AD ? As the option "Validate server certificate." is to Validate  the certificate on the external server for a secured connection

And if not then with that option disabled, the functionality will not be affected, may we know your use case to use the option of validating the certificate ? 

No, I'm not, AD is using an Internal Cert from the internal CA I thought.  "Validate server certificate" is for the external server? I thought this for TLS comms to AD; a Cert from the internal certificate server (hence why the tutorials get us to setup an internal CA?) I recently purchased a certificate from rapidSSL for my public domain name with wildcard. I thought I installed it correctly as well. So, I have installed the intermediate Certificate for Rapid SSL and the Root Certificate for my internal CA as per: Import a certificate - Sophos Firewall. Sorry I am very green to all this but what to fully understand how its working, greatly appreciate your feed back.  I think I will follow this tonight. It may have something to do with my issue perhaps: (+) Sophos xg can't resolve own hostname and internal server - Discussions - Sophos Firewall - Sophos Community (They seem to have the CN issue as well).

Would you know what "client" on the sophos firewall, "Validate Server Certificate" using to verify the certificate. Thx

Hey Christopher Kurdian ,

 If you turn this option "Validate server certificate" on, you must upload the AD server certificate to the firewall on Certificates > Certificates > Add > Upload certificate. If you don't upload it, the connection to the AD server fails.

Yeah I have done that, (Certificates are not my thing) I even included the private key in a test. However, "Validate server certificate" still fails. Do I need to reboot firewall or restart a service?

This may not be important for things to work but I really want it to work and understand what I am doing wrong or if there is an underlining issue :-)

Mercury is the name of the firewall. Do I need to install its certificate on the Active Directory Server as well?

Thanks for your patience's. 

Yeah I have done that, (Certificates are not my thing) I even included the private key in a test. However, "Validate server certificate" still fails. Do I need to reboot firewall or restart a service?

This may not be important for things to work but I really want it to work and understand what I am doing wrong or if there is an underlining issue :-)

Mercury is the name of the firewall. Do I need to install its certificate on the Active Directory Server as well?

Thanks for your patience's.