Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 28 subscribers
  • Views 24989 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Portal Access and Active Directory Integration- Authenticated Users Only Access?

Chad Riemland

Good Afternoon everyone,

Been working with the new XG's over the past couple of months and have an (what I hope is an easy/minor) issue with Portal and VPN access w/AD integration.  Wondering if I could get a little additional help.

Scenario:

Basic Server 2012 R2 Std. environment running AD

XG115 running ver 16.x

Have a new test environment we setup.  We have a specific set of users that we want to have VPN access to only.  Additionally those users will be able to login via the portal to access and download the VPN client software.

 

Problem:

Our problem is limiting what users have access.  My understanding after speaking initially with Sophos support is that we can narrow down who has access to these sections my narrowing down the Search Queries section.

We setup an OU called Security Groups, and inside that OU we created a security group called VPN of which we assign specific members to.

My intention was to set cn=VPN,ou=Security Groups,dc=testdomain,dc=local in the search query.  This yeilded no results however.  Not able to login any user of this object

However, if I move the user to the Security Groups OU and adjust the query to ou=Security Groups,dc=testdomain,dc=local, I'm able to authenticate and access without any problems.

Can we not specify a CN with the XG's?  Am I possibly entering this incorrectly?  This is possible on the UTM side of things, so I would assume the same features would still exist on the XG

It would make more sense to us and be easier to manage if we could specify a CN as opposed to having to drop the user in a particular OU

 

Thoughts?  Advice?  I do have a ticket open with Sophos on this, but it sometimes take days for them to respond and I see that sometimes faster responses come from the community. [:D]



This thread was automatically locked due to age.
Parents
  • +1

    Chad,

    The power of utm 9 is granularity! XG does not allow this on some feature like user portal or device access, binding...

    For you question, I would like that user portal works like utm 9 where it is possible to specify users/groups.

    This is my point of view.

  • 0 in reply to lferrara

    Thanks for the response Luk,

    So to confirm, this isn't available in XG?

    Might this be something that has already been requsted in future releases?  Not sure where to look for that.

    I thought XG was supposed to be the step up from UTM?  Is this not the case?  Should I be sticking with UTM instead?

    Perhaps I misread when initially going the XG route.  I've easily deployed 20 of these in the past month or two thinking it was going to be taking the place of UTM.  Error on my end possibly.

  • 0 in reply to Chad Riemland

    Chad,

    You can have a look at ideas.sophos.com and check XG section to see if the feature request already exists. If it does not, create it and create a new thread here with the link so we everyone can see your thread and vote it.

    If for you this is a needed feature, stay on utm 9.

    Regards

  • 0 in reply to lferrara

    Thank you again Luk for the info.  Now to move back to the wonderful world of UTM, as this is a feature set we use often.  From what I see however, it looks like I just wasted money on the XG's as we can't load them up with UTM 9?  I can only jump back and forth on the SG boxes?  Any confirmation on this?

  • 0 in reply to Chad Riemland
    Chad, I always advise to test XG or every new system before the purchase. XG is still missing some basic features and we have to wait more time. You can contact your Sophos Sales representative and check if they can help to move back or have a refund. Community is used for technical aspects. Regards
  • 0 in reply to Chad Riemland

    Chad, I was struggling with the same issue and found this post by Ton Versteeg.

    On the XG, it isn't intuitive and even after you get it setup, it doesn't look like it will work. However, I can confirm it works like a champ.

     

    Scenario:

    I have a connection from the XG to a local AD server. I want users in certain groups to be authorized for remote ssl vpn access.

     

    Solution:

    1. In your Microsoft Active Directory, create your security group. In this example, we will call it 'VPN Users'
    2. Add any user accounts you wish to grant vpn access as a member of this group, 'VPN Users'
    3. On the Sophos XG, navigate to Configure->Authentication->Servers
    4. On your server setup, create a single search query for the top level domain. For the example mydomain.local use: "dc=mydomain,dc=local". I know this seems weird and you think you are granting access for everyone, but you are not. However, without this top level search the solution would not work. Again, weird I know, but it works.
    5. Click 'Test Connection' and make sure you can connect to your AD.
    6. Next, go back to the Servers screen from step 3 and click on the import button to the right of the AD server. It looks like a document with an arrow pointing to the left.
    7. Use your base dn created in step 4 for the first import step
    8. For the second import step, navigate to the security group you setup in step 1 above and select it
    9. The rest of the import steps are self explanatory and once you import you will now have a new Group (under Configure->Authentication->Groups) with the same name as your AD security group.
    10. (optional) If you need to set policies for the group, you can do it from this location (step 9)
    11. One other thing I did was added the search query for the imported group to the Search Queries section of my AD. Under Configure->Authentication->Servers and my AD server, I added "cn=VPN Users,cn=Users,dc=mydomain,dc=local"
    12. Navigate to Configure->VPN->SSL VPN (Remote Access) and create a policy. Make sure under Identity->Policy Members you add the groups created in step 9.
    13. Navigate to Configure->Authentication->Services and add your AD server as a Firewall Authentication Method (for User Portal) and SSL VPN Authentication Method for remote access

    Hope that helps Chris and no need to sell those XG's!

    -mitchel

  • 0 in reply to MitchelLaman

    Edit2: it worked!!! It was necessary to make dn= a lowercase affair in each case. Uppercase DN= was not allowing it to work properly in Servers > Authentication. Buyer beware!

    Has anyone else run into another or better or different way to make this work?

    After reconfiguring the XG to do this several times, all we see in the User Portal is 'Login failed' on the User Portal and 'The system could not log you on. Make sure your password is correct' in the Captive portal.

    These instructions were easy to follow, but although things seem to 'Test' just fine, no success is to be had.

    Server 2008 R2, XG 430.

     

    Edit: This issue persists through the following troubleshooting:

    -Attempting to use AD credentials that are in the appropriate Group with the SSLVPN client from an outside network
    -Changing 'search queries' order under 'Authentication > Servers' to move 'dn=domain, dn=domain, dn=com' up higher or down lower OR moving cn=vpngroup,ou=security groups ... (etc) up higher
    -Firewall rule allowing any and all groups
    -Changing 'Domain Name' in 'Authentication > Servers' to 'internal.external.com' instead of 'external.com' (though 'Test Connection' works regardless)

  • 0 in reply to Paul Kopalek

    Glad you got it working, Paul. I wonder if someone can update the accepted solution to reflect that this feature is actually possible.

     

    -mitchel

Reply Children
No Data