XG Portal Access and Active Directory Integration- Authenticated Users Only Access?

Question

Good Afternoon everyone, 
 Been working with the new XG's over the past couple of months and have an (what I hope is an easy/minor) issue with Portal and VPN access w/AD integration. Wondering if I could get a little additional help. 
 Scenario: 
 Basic Server 2012 R2 Std. environment running AD 
 XG115 running ver 16.x 
 Have a new test environment we setup. We have a specific set of users that we want to have VPN access to only. Additionally those users will be able to login via the portal to access and download the VPN client software. 
 
 Problem: 
 Our problem is limiting what users have access. My understanding after speaking initially with Sophos support is that we can narrow down who has access to these sections my narrowing down the Search Queries section. 
 We setup an OU called Security Groups, and inside that OU we created a security group called VPN of which we assign specific members to. 
 My intention was to set cn=VPN,ou=Security Groups,dc=testdomain,dc=local in the search query. This yeilded no results however. Not able to login any user of this object 
 However, if I move the user to the Security Groups OU and adjust the query to ou=Security Groups,dc=testdomain,dc=local, I'm able to authenticate and access without any problems. 
 Can we not specify a CN with the XG's? Am I possibly entering this incorrectly? This is possible on the UTM side of things, so I would assume the same features would still exist on the XG 
 It would make more sense to us and be easier to manage if we could specify a CN as opposed to having to drop the user in a particular OU 
 
 Thoughts? Advice? I do have a ticket open with Sophos on this, but it sometimes take days for them to respond and I see that sometimes faster responses come from the community. [:D]

lferrara · Accepted Answer

Chad, 
 The power of utm 9 is granularity! XG does not allow this on some feature like user portal or device access, binding... 
 For you question, I would like that user portal works like utm 9 where it is possible to specify users/groups. 
 This is my point of view.

MitchelLaman · Answer

Chad, I was struggling with the same issue and found this post by Ton Versteeg. 
 On the XG, it isn't intuitive and even after you get it setup, it doesn't look like it will work. However, I can confirm it works like a champ. 
 
 Scenario: 
 I have a connection from the XG to a local AD server. I want users in certain groups to be authorized for remote ssl vpn access. 
 
 Solution: 
 
 In your Microsoft Active Directory, create your security group. In this example, we will call it 'VPN Users' 
 Add any user accounts you wish to grant vpn access as a member of this group, 'VPN Users' 
 On the Sophos XG, navigate to Configure->Authentication->Servers 
 On your server setup, create a single search query for the top level domain. For the example mydomain.local use: "dc=mydomain,dc=local". I know this seems weird and you think you are granting access for everyone, but you are not. However, without this top level search the solution would not work. Again, weird I know, but it works. 
 Click 'Test Connection' and make sure you can connect to your AD. 
 Next, go back to the Servers screen from step 3 and click on the import button to the right of the AD server. It looks like a document with an arrow pointing to the left. 
 Use your base dn created in step 4 for the first import step 
 For the second import step, navigate to the security group you setup in step 1 above and select it 
 The rest of the import steps are self explanatory and once you import you will now have a new Group (under Configure->Authentication->Groups) with the same name as your AD security group. 
 (optional) If you need to set policies for the group, you can do it from this location (step 9) 
 One other thing I did was added the search query for the imported group to the Search Queries section of my AD. Under Configure->Authentication->Servers and my AD server, I added "cn=VPN Users,cn=Users,dc=mydomain,dc=local" 
 Navigate to Configure->VPN->SSL VPN (Remote Access) and create a policy. Make sure under Identity->Policy Members you add the groups created in step 9. 
 Navigate to Configure->Authentication->Services and add your AD server as a Firewall Authentication Method (for User Portal) and SSL VPN Authentication Method for remote access 
 
 Hope that helps Chris and no need to sell those XG's! 
 -mitchel

Paul Kopalek · Answer

Edit2: it worked!!! It was necessary to make dn= a lowercase affair in each case. Uppercase DN= was not allowing it to work properly in Servers > Authentication. Buyer beware! Has anyone else run into another or better or different way to make this work? 
 After reconfiguring the XG to do this several times, all we see in the User Portal is 'Login failed' on the User Portal and 'The system could not log you on. Make sure your password is correct' in the Captive portal. 
 These instructions were easy to follow, but although things seem to 'Test' just fine, no success is to be had. 
 Server 2008 R2, XG 430. 
 
 Edit: This issue persists through the following troubleshooting: 
 -Attempting to use AD credentials that are in the appropriate Group with the SSLVPN client from an outside network -Changing 'search queries' order under 'Authentication > Servers' to move 'dn=domain, dn=domain, dn=com' up higher or down lower OR moving cn=vpngroup,ou=security groups ... (etc) up higher -Firewall rule allowing any and all groups -Changing 'Domain Name' in 'Authentication > Servers' to 'internal.external.com' instead of 'external.com' (though 'Test Connection' works regardless)