Skip to Content

How to Integrate Sophos XGS Firewall with Windows Active Directory

By: Author Alex Lim

Posted on

Categories Uncategorized

Learn how to integrate Sophos XGS firewall with Windows Active Directory to monitor and control network traffic based on user identity and group membership.

Sophos XGS is a next-generation firewall appliance that provides comprehensive protection for your network, applications, and users. It offers advanced features such as deep packet inspection, intrusion prevention, web filtering, application control, and more.

One of the challenges of managing a network firewall is to identify the source and destination of network traffic, especially when there are multiple branch offices connected through MPLS network. This is important to detect and block malicious or unwanted applications, such as TOR Proxy, that may pose a high-risk to your network security.

To solve this problem, you can integrate Sophos XGS firewall with Windows Active Directory, which is a directory service that stores user and group information for your domain. By doing so, you can monitor and control network traffic based on user identity and group membership, rather than IP addresses. This way, you can easily track and block users who are using high-risk applications, such as TOR Proxy, on your network.

In this article, we will show you how to integrate Sophos XGS firewall with Windows Active Directory, and how to configure firewall policies based on user and group information.

Prerequisites

Before you start, make sure you have the following:

  • A Sophos XGS firewall appliance with the latest firmware installed.
  • A Windows Active Directory domain controller with DNS and DHCP services enabled.
  • A Windows server or workstation that can run the Sophos Authentication Agent (SAA) software.
  • A network switch that supports VLAN tagging and trunking.
  • A network cable to connect the Sophos XGS firewall to the network switch.

Step 1: Configure the Sophos XGS firewall

The first step is to configure the Sophos XGS firewall to communicate with the Windows Active Directory domain controller and the SAA server. To do this, follow these steps:

  1. Log in to the Sophos XGS firewall web admin console using your administrator credentials.
  2. Go to System > Administration > Device Access and enable the HTTPS option for the LAN zone. This will allow you to access the web admin console from the LAN network.
  3. Go to Network > Interfaces and click on the Add button to create a new interface. Enter the following details:
    • Name: LAN
    • Zone: LAN
    • Type: VLAN
    • Parent Interface: Select the physical interface that is connected to the network switch.
    • VLAN ID: Enter a unique VLAN ID for the LAN network, such as 10.
    • IP Assignment: Static
    • IP Address: Enter an IP address for the LAN interface, such as 192.168.10.1/24.
    • Gateway: Leave blank
    • DNS Server 1: Enter the IP address of the Windows Active Directory domain controller, such as 192.168.10.10.
    • DNS Server 2: Leave blank
    • Enable DHCP Server: Check this option to enable the DHCP server on the LAN interface.
    • DHCP Range: Enter the IP address range for the DHCP server, such as 192.168.10.100-192.168.10.200.
    • Lease Time: Enter the lease time for the DHCP server, such as 86400 seconds (24 hours).
    • Domain Name: Enter the domain name of the Windows Active Directory domain, such as example.com.
    • WINS Server: Leave blank
    • NTP Server: Leave blank
  4. Click on the Save button to create the LAN interface.
  5. Go to Network > Interfaces and click on the Add button to create another interface. Enter the following details:
    • Name: WAN
    • Zone: WAN
    • Type: VLAN
    • Parent Interface: Select the same physical interface that is connected to the network switch.
    • VLAN ID: Enter a different VLAN ID for the WAN network, such as 20.
    • IP Assignment: Static
    • IP Address: Enter an IP address for the WAN interface, such as 192.168.20.1/24.
    • Gateway: Enter the IP address of the gateway for the WAN network, such as 192.168.20.254.
    • DNS Server 1: Enter the IP address of a public DNS server, such as 8.8.8.8.
    • DNS Server 2: Enter the IP address of another public DNS server, such as 8.8.4.4.
    • Enable DHCP Server: Uncheck this option to disable the DHCP server on the WAN interface.
    • DHCP Range: Leave blank
    • Lease Time: Leave blank
    • Domain Name: Leave blank
    • WINS Server: Leave blank
    • NTP Server: Leave blank
  6. Click on the Save button to create the WAN interface.
  7. Go to Network > Routing and click on the Add button to create a new route. Enter the following details:
    • Name: Default Route
    • Destination Network: 0.0.0.0/0 (This means any network)
    • Gateway: Select the IP address of the gateway for the WAN network, such as 192.168.20.254.
    • Interface: Select the WAN interface.
    • Metric: Leave the default value of 10.
  8. Click on the Save button to create the default route.
  9. Go to Authentication > Servers and click on the Add button to create a new authentication server. Enter the following details:
    • Name: AD Server
    • Server Type: Active Directory
    • Server IP/Host Name: Enter the IP address or host name of the Windows Active Directory domain controller, such as 192.168.10.10 or dc.example.com.
    • Port: Leave the default value of 389.
    • Connection Security: Select Start TLS to encrypt the communication between the firewall and the domain controller.
    • Bind DN: Enter the distinguished name of a user account that has permission to query the Active Directory, such as cn=admin,cn=users,dc=example,dc=com.
    • Bind Password: Enter the password of the user account that has permission to query the Active Directory.
    • User Search Base: Enter the distinguished name of the container or organizational unit that contains the user accounts, such as cn=users,dc=example,dc=com.
    • Group Search Base: Enter the distinguished name of the container or organizational unit that contains the user groups, such as cn=groups,dc=example,dc=com.
    • User Name Attribute: Leave the default value of sAMAccountName.
    • Group Name Attribute: Leave the default value of cn.
    • Group Member Attribute: Leave the default value of member.
    • Nested Group Search: Check this option to enable the firewall to search for nested groups in the Active Directory.
  10. Click on the Test Connection button to verify the connection between the firewall and the domain controller. If the test is successful, click on the Save button to create the authentication server.
  11. Go to Authentication > Agents and click on the Add button to create a new authentication agent. Enter the following details:
    • Name: SAA Server
    • IP Address: Enter the IP address of the Windows server or workstation that will run the SAA software, such as 192.168.10.20.
    • Shared Secret: Enter a secret key that will be used to encrypt the communication between the firewall and the SAA server, such as sophos123.
    • Status: Select Enabled to enable the authentication agent.
  12. Click on the Save button to create the authentication agent.

Step 2: Configure the Windows Active Directory domain controller

The next step is to configure the Windows Active Directory domain controller to allow the firewall to query the user and group information. To do this, follow these steps:

  1. Log in to the Windows Active Directory domain controller using your administrator credentials.
  2. Open the Server Manager and click on the Tools menu. Select Active Directory Users and Computers to open the Active Directory management console.
  3. In the left pane, expand your domain name, such as example.com, and select the Users container. In the right pane, right-click on the user account that you entered as the bind DN in the firewall configuration, such as admin, and select Properties.
  4. In the Properties window, click on the Security tab and then click on the Advanced button.
  5. In the Advanced Security Settings window, click on the Add button to add a new permission entry.
  6. In the Permission Entry window, click on the Select a principal link and enter the name of the firewall authentication server, such as AD Server. Click on the Check Names button to verify the name and then click on the OK button.
  7. In the Permission Entry window, under the Apply to drop-down list, select This object and all descendant objects. Under the Permissions list, check the Allow box for the following permissions:
    • Read
    • Read account restrictions
    • Read DNS host name attributes
    • – Read lockout time – Read logon information – Read memberOf – Read name – Read objectGUID – Read operating system – Read operating system service pack – Read operating system version – Read personal information – Read public information – Read pwdLastSet – Read remote access information – Read terminal server license server – Read userAccountControl – Read userPrincipalName
  1. Click on the OK button to save the permission entry and then click on the OK button to close the Advanced Security Settings window.
  2. Click on the OK button to close the Properties window.
  3. Repeat steps 3 to 9 for any other user accounts that you want to use as the bind DN in the firewall configuration.

Step 3: Configure the Windows server or workstation that will run the SAA software

The next step is to configure the Windows server or workstation that will run the SAA software to communicate with the firewall and the domain controller. To do this, follow these steps:

  1. Log in to the Windows server or workstation using your administrator credentials.
  2. Download the SAA software from the Sophos website and run the installer. Follow the on-screen instructions to complete the installation.
  3. Open the SAA software and click on the Settings button. Enter the following details:
    • Firewall IP Address: Enter the IP address of the Sophos XGS firewall, such as 192.168.10.1.
    • Shared Secret: Enter the same secret key that you entered as the shared secret in the firewall configuration, such as sophos123.
    • Domain Name: Enter the domain name of the Windows Active Directory domain, such as example.com.
    • Domain Controller IP Address: Enter the IP address of the Windows Active Directory domain controller, such as 192.168.10.10.
    • Domain Controller Port: Leave the default value of 389.
    • Domain Controller Username: Enter the user name of a user account that has permission to query the Active Directory, such as admin.
    • Domain Controller Password: Enter the password of the user account that has permission to query the Active Directory.
  4. Click on the Save button to save the settings.
  5. Click on the Start button to start the SAA service. You should see a green icon in the system tray indicating that the SAA service is running.

Step 4: Configure the firewall policies based on user and group information

The final step is to configure the firewall policies based on user and group information to monitor and control network traffic. To do this, follow these steps:

  1. Log in to the Sophos XGS firewall web admin console using your administrator credentials.
  2. Go to Firewall > Firewall Policies and click on the Add button to create a new firewall policy. Enter the following details:
    • Name: Allow Internet Access
    • Source Zone: LAN
    • Source Networks and Devices: Any
    • Source Users and Groups: Select the user or group that you want to allow internet access, such as cn=employees,cn=groups,dc=example,dc=com.
    • Destination Zone: WAN
    • Destination Networks and Devices: Any
    • Services: Any
    • Action: Accept
    • Log Firewall Traffic: Check this option to enable logging of firewall traffic for this policy.
    • Scan HTTP: Check this option to enable scanning of HTTP traffic for this policy.
    • Scan HTTPS: Check this option to enable scanning of HTTPS traffic for this policy.
    • Web Policy: Select the web policy that you want to apply for this policy, such as Default.
    • Application Policy: Select the application policy that you want to apply for this policy, such as Default.
  3. Click on the Save button to create the firewall policy.
  4. Go to Firewall > Firewall Policies and click on the Add button to create another firewall policy. Enter the following details:
    • Name: Block TOR Proxy
    • Source Zone: LAN
    • Source Networks and Devices: Any
    • Source Users and Groups: Any
    • Destination Zone: WAN
    • Destination Networks and Devices: Any
    • Services: Any
    • Action: Drop
    • Log Firewall Traffic: Check this option to enable logging of firewall traffic for this policy.
    • Scan HTTP: Uncheck this option to disable scanning of HTTP traffic for this policy.
    • Scan HTTPS: Uncheck this option to disable scanning of HTTPS traffic for this policy.
    • Web Policy: None
    • Application Policy: Select the application policy that has the TOR Proxy application blocked, such as High Risk.
  5. Click on the Save button to create the firewall policy.
  6. Drag and drop the firewall policies to reorder them according to your preference. Make sure that the Block TOR Proxy policy is above the Allow Internet Access policy, so that it takes precedence.

Frequently Asked Questions (FAQs)

Here are some frequently asked questions related to the topic of integrating Sophos XGS firewall with Windows Active Directory:

Question: How can I verify that the integration is working properly?

Answer: You can verify that the integration is working properly by checking the following:

  • On the Sophos XGS firewall web admin console, go to Authentication > Live Users and check if you can see the user names and groups of the logged-in users on the LAN network.
  • On the Sophos XGS firewall web admin console, go to Logs & Reports > Firewall and check if you can see the user names and groups of the source and destination of the firewall traffic.
  • On the Windows server or workstation that runs the SAA software, open the SAA software and click on the Status button. Check if you can see the user names and IP addresses of the logged-in users on the LAN network.

Question: How can I troubleshoot the integration if it is not working properly?

Answer: You can troubleshoot the integration if it is not working properly by checking the following:

  • On the Sophos XGS firewall web admin console, go to Authentication > Servers and click on the Test Connection button for the AD Server. Check if the test is successful or not. If not, check the server IP/Host Name, port, connection security, bind DN, bind password, user search base, and group search base settings.
  • On the Sophos XGS firewall web admin console, go to Authentication > Agents and click on the Test Connection button for the SAA Server. Check if the test is successful or not. If not, check the IP address and shared secret settings.
  • On the Windows server or workstation that runs the SAA software, open the SAA software and click on the Settings button. Check the firewall IP address, shared secret, domain name, domain controller IP address, domain controller port, domain controller username, and domain controller password settings.
  • On the Windows server or workstation that runs the SAA software, open the SAA software and click on the Logs button. Check the logs for any errors or warnings related to the integration.

Question: How can I customize the firewall policies based on user and group information?

Answer: You can customize the firewall policies based on user and group information by using the following options:

  • On the Sophos XGS firewall web admin console, go to Firewall > Firewall Policies and click on the Edit button for the firewall policy that you want to customize. You can change the source users and groups, destination users and groups, services, action, log firewall traffic, scan HTTP, scan HTTPS, web policy, and application policy settings according to your preference.
  • On the Sophos XGS firewall web admin console, go to Web > Web Policies and click on the Add button to create a new web policy. You can define the web categories, web applications, web exceptions, and web quota settings according to your preference. You can then apply the web policy to the firewall policy that you want to customize.
  • On the Sophos XGS firewall web admin console, go to Application > Application Policies and click on the Add button to create a new application policy. You can define the application categories, applications, application exceptions, and application quota settings according to your preference. You can then apply the application policy to the firewall policy that you want to customize.

Summary

In this article, we have shown you how to integrate Sophos XGS firewall with Windows Active Directory to monitor and control network traffic based on user identity and group membership. We have also shown you how to configure firewall policies based on user and group information to detect and block high-risk applications, such as TOR Proxy, on your network. We hope that this article has been helpful and informative for you. If you have any questions or feedback, please feel free to contact us.

Disclaimer: This article is for informational purposes only and does not constitute professional advice. The information and instructions provided in this article are based on the best practices and recommendations from Sophos and Microsoft, but they may not be suitable for your specific network environment and configuration. You should always consult with your network administrator and IT support team before implementing any changes to your network firewall and Active Directory settings. We are not responsible for any damages or losses that may result from following the steps in this article.