Sophos UTM and Active Directory Step by Step Integration Guide
Almost all enterprises use Windows Active Directory as their authentication store. Any non-Windows system that would like to Integrate into such an environment needs to be configured to interact with the relevant Active Directory servers and services.
In this article we are going to step through the process of integrating Sophos UTM and Active Directory using the Active Directory Single Sign On feature. We will join a Sophos UTM device to a Windows Domain and define policies for certain Active Directory groups and users.
Step 1. DNS
Before a device can be joined to a domain, it needs to be able to resolve the relevant domain services. Sophos UTM can be configured to use various DNS configurations, but typically, there are only two main requirements. Resolve all internal DNS queries using an internal DNS server, and for all other queries, resolve them using an external/public DNS server.
Step 1.1. Confirm Public DNS Forwarders
Select Network Services | DNS
Select the Forwarders Tab
By default during the installation wizard a DNS forwarder is created. This can be any public DNS server such as Google’s 220.127.116.11 or 18.104.22.168. If the installation wizard did not create one, add a DNS forwarder that points to a public DNS server.
Sophos UTM DNS Forwarder
Step 1.2. Define Request Routing
Select the Request Routing tab
Click the + New DNS Request Route… button
Specify your internal domain name
Browse for or create your local DNS servers
Click the Save button
Sophos UTM Request Routing
This configuration will now send all DNS queries for the internal domain to your internal DNS server while sending all other DNS queries directly to the external public DNS servers.
Step 1.3. Test internal and external DNS resolution
Select Support | Tools
Select the DNS Lookup tab
In the hostname field, enter an external domain such as google.com, check “Enable verbose output” and click the Apply button
Sophos UTM DNS Test
This should resolve the public DNS record from your public DNS server.
Repeat the process, but this time specify your own internal domain.
You should now see that external names resolve externally and internal names resolve internally.
Step 2. Join Sophos UTM to the Domain
This is taken directly from the Sophos UTM management interface.
To activate Single-Sign-On functionality, the system must join the Active Directory domain. Enter the domain name (e.g. ’intranet.yourcompany.com’) of the domain you wish to join, as well as the credentials of an admin user who is allowed to add computers to that domain.
To join Sophos UTM to your Windows domain:
Select Definitions & Users | Authentication Servers
Select the Single Sign-On Tab
Enter your internal domain name along with the Username and Password of a user that has permission to create objects in AD
Click the Apply button
Sophos UTM Single Sign On
The join might take a minute or two. Green text will briefly display indicating a successful join. The Status line will also reflect that the Sophos UTM has joined the domain. If you like to double check you can also look for the object in Active Directory. It will be registered as a computer object similar to a domain joined PC.
Step 3. Specify Authentication Servers
In this step we will specify which Active Directory servers the Sophos UTM can use to query for groups, membership and also authenticate the user.
In order to do this, you need to know the distinguishedName (BIND DN) of the AD user account you are using for Sophos UTM.
Step 3.1. Find the AD User Account’s distinguishedName
Firstly, find the canonical name of the user account you want to use for Sophos UTM
On your domain controller, open Active Directory Users and Computers
Select View | Advance Features
Search for the domain account that will be used by the Sophos UTM. You can use the same account you used to Join Sophos UTM to the domain (See step 3 above) or create a new account specifically for Sophos UTM.
In the Properties for the user account you will see the Object tab.
Note the canonical name as it tells you where the object is in your Active Directory.
Now we can retrieve the distinguishedName for the account using ADSI Edit.
Open ADSI Edit (Adsiedit.msc)
Right-click the ADSI Edit root and click Connect to…
The default settings should allow you to connect successfully, so just click OK
You can now expand and browse the directory until you find the user account you want to use. This is where the canonical name comes in handy.
Open the Properties of the user account
In the attributes section scroll down to the distinguishedName
Copy the distinguishedName to the clipboard (Double-click the entry to view and then copy).
Step 3.2. Define an Authentication Server
Select Definitions & Users | Authentication Services
Select the Servers tab
Click the + New Authentication server button
Select Active Directory as the Backend
Next to the Server field click the + button
Specify your Active Directory server name, and specify its IPv4 Address
Sophos UTM Authentication Server
For the BIND DN paste the distinguishedName of the AD account you want to use (see step 3.1 above)
Password is the password for that account
Click the Test button
If successful, you should get a small pop up saying “Server test passes”. If not, please revise the steps above until the test succeeds.
The Base DN is the base from which user objects will be queried. The less specific, the larger the scope will be for the object to be searched.
As a test, specify the base DN of your domain e.g. DC=fastvue,DC=co
Specify the username and password for any AD account and the test should succeed
You are now ready to save the Authentication Server
Sophos UTM User Authentication Test
You can and should repeat this process for additional AD servers. Using the clone button makes it easy to retain the settings.
Step 4. Create Sophos UTM Groups Using Active Directory Groups
Sophos UTM can apply policies and rules to users or groups. These groups are however local groups to the Sophos UTM.
The Sophos UTM groups can determine its members by referencing an Active Directory group. I have found it makes administration much easier to simply match the names of the Sophos UTM Groups to the names of the AD Groups. This is purely a naming convention and not required.
To create a Sophos UTM group:
Select Definitions & Users | Users & Groups
Select the Groups tab
Click the + New Group button
Group Name: Same as AD Group Name
Group Type: Backend membership
Backend: Active Directory
Check “Limit to backend group(s) membership”
Click the folder icon to browse AD for groups
Once you have found the group, drag it to the empty pane in the bottom of the popup window.
Click the Save Button
Sophos UTM Active Directory Browser
Repeat this process until you have all the groups that you want to use. Note: You can also add multiple Active Directory groups into a single Sophos UTM group.
Step 5. Use Active Directory Groups in Policies
Now that the Active Directory Integrated groups have been created you can use them in your Sophos UTM policies.
To configure the forward proxy to use these groups you need to do the following.
Select Web Protection | Web Filtering
Select the Global tab
Make sure the mode is set to Standard Mode
Set the Authentication mode to Active Directory SSO
Click the folder icon and add the AD group(s) defined earlier
Click the Apply Button
Sophos UTM Global Web Filtering
Domain joined Windows and Apple Mac OSX machines should now be able to use the proxy without being queried for credentials. You can verify this by checking the Live Log. Look for the user= field.
Sophos UTM Web Filter Live Log
Step 6. Reporting on Authenticated Users in Sophos UTM
Authenticated user credentials are logged by Sophos UTM and can be viewed in the on-box reports. Unfortunately, the user account name can sometimes be a non-intuitive number such as a employee id, staff number or abbreviations.
Sophos UTM User Report
Fastvue Sophos Reporter solves this problem by mapping the user account back to the user’s display name in Active Directory. Sophos Reporter also uses other Active Directory attributes such as ‘department’ to enable reporting by Department, Offices and Companies.