This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD group membership problem issue on the Sophos XG Firewall

maranatha-christian-university over 7 years ago

Hello,

I have installed the Sophos XG Firewall with firmware version SFOS 17.0.2 MR-2 in virtual appliance (VMware vSphere ESXi). I have activated company full subscribtion successfully. I also have setting up some firewall and web protection as needed. I also have connected the Sophos XG Firewall to company Active Directory / Domain Controller Server for user authentication. Just for info, our user authentication data are available on the company AD / DC based on Windows Server 2012. I also have tried to import the Group and Organizational Unit (OU) that are available on the AD / DC. And we also have installed the Sophos Transparent Authentication Suite (STAS) and configured it on the AD / DC. When the AD users tried to log in, they were logged successfully as STAS users on the Live Users section in the Sophos XG Firewall.

The trouble appear when I tried to add some users to member of a group, for example the 'RAS Users' group that will be used for VPN access. All users that are member of 'RAS Users' group will be allowed to access the Sophos PPTP VPN service, otherwise they can't access the VPN service. For information, we have a lot of Organizational Unit in the AD / DC. The users are divided into some OU based on Faculty or Bureau based on the location where they worked at. For example, user A are working at Faculty of Engineering, so A placed under the Faculty of Engineering OU. When I tried to move user A to member of 'RAS Users' group, it was completed successfully but something strange happened. When the user A login to his/her computer, user A dissapear from member of 'RAS Users' group and I have checked that A was rolled back as the member of Faculty of Engineering OU.

My questions :
1. Are the users that Sophos XG Firewall logged from AD / DC will always obey their original OU placement on the AD / DC rather than if we moved it manually to a member of a group ? Is it normal or not ?
2. Are they any settings or configuration mistake that I have made so the users will always obey the OU rather than if we add the users manually as member of a group ?
3. What I have to do ? Because this feature (group membership) are very essential and important, without this feature I can't continue to the next step.

I'm waiting for your reply and answer of this case.

Thank you.

Edited Tags
[edited by: Erick Jan at 1:55 AM (GMT -7) on 16 Sep 2022]

0 Ronak Sheth over 7 years ago

Hello maranatha-christian-university ,

As per the current XG architectur, XG can only be integrated in tight integration with AD. Whenever user logins on firewall it will fall to AD group.

For better understanding on group behaviour, refer bello links.

community.sophos.com/.../123158

community.sophos.com/.../123161

Regards, Ronka.
Cancel
Vote Up 0 Vote Down

Cancel