Sophos Xg Azure Ad

  



To integrate the XG firewall with Azure AD, we need to create a new service called “Azure AD Domain services”. With this integration, administrators can use Azure AD for the following: Captive portal authentication of internal firewall users. Authentication agent for windows, mac, linux. Note Sophos Azure Active Directory synchronization can be used with Sophos Endpoint Protection and Sophos Email. It has not been tested with other Sophos products. Sophos XG Firewall: Integrate XG Firewall with Azure AD; Sophos Firewall: v18.5 EOL Support for accesspoints; Sophos XG: XG as NTP server – workaround; Azure MFA NPS extension: The request was discarded by a third-party extension DLL file; Sophos XG Firewall: End of Support for RED 10 devices; Sophos UTM/XG: Clear the ARP / Neighbor table.

  1. Sophos Xg Azure Admin
  2. Sophos Xg Azure Ad Connect
  3. Sophos Utm Azure Ad Authentication

Overview

Sophos Transparent Authentication Suite eliminates the need to remember multiple passwords when users log into Sophos UTM when he log in to Windows with his password username and password. In addition, it removes SSO client settings on each workstation. Easy to use for end users and a higher level of security in addition to reducing operating costs related to client installation

The article will show you how to integrate STAS in an environment with an Active Directory Server on the Sophos XG firewall device

How to configure

Step 1: Configure ADS

Configuration on Active Directory

  • Start -> Administrative Tools -> Local Security Policy to view the security settings
  • Go to Security Settings -> Local Policies -> Audit Policy -> Audit account logon -> Right clock Audit account logon events -> Select Properties
  • Select both Success and Failure items -> Click OK
  • Local Security Policy -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a service -> Right click Log on as a service -> Select Properties
  • Click Add User or Group -> Add user administrator -> Click OK

Step 2: Download STAS

  • Log into AD with Administrator account
  • Log in to the graphical interface of Sophos XG with an Admin account
  • Authentication -> Click on the icon … -> Select Client Download to download the installation file -> Install on AD Server
  • You can also download STAS from the Download Client page in the User Portal when logging in with an Admin account

Step 3: Install STAS on AD

  • Install the downloaded STAS. Click Next 4 times -> Click Install
  • Select SSO and click Next
  • Enter admin’s username and password -> Click Next
  • Click Finish to complete the instalation

Step 4: Configuration for STAS

  • Open STAS by double clicking on the Sophos Transparent Authentication Suite on the desktop
  • On the STA Collector tab
    • In Sophos Appliances section -> Click Add to add the IP of the LAN port of the Sophos XG device
    • At Workstation Polling Settings: Select WMI
    • In the Logoff Detection Settings section and Appliance Port -> Keep the default configuration

-> Click Apply

  • On the STA Agent tab
    • In Monitor Networks -> Click Add to add the LAN Network you want to authenticate

-> Click Apply

  • On the General tab
    • Enter the NetBIOS name of the domain
    • Enter the FQDN of the domain
    • Click Start to start STAS

-> Click Apply -> Click OK

Sophos Xg Azure Admin

Step 5: Add AD Server to Sophos XG to authenticate domain user

Configuration on XG

Authentication -> Servers -> Click Add

  • In the Server type section: Select Active Directory
  • Server name: Name the server you want to manage
  • Server IP/domain: Enter the IP of AD
  • Port: 389
  • NetBIOS domain: Enter the NetBIOS name of AD
  • ADS username: Enter the administrator
  • Password: Enter the password of the administrator account
  • Connection security: Select Simple
  • Display name attribute: Enter the name for the server you want to manage
  • Email address attribute: Enter the email you want (can be left blank)
  • Domain name: Enter your domain name
  • Search queries: Enter domain name in queries (Ex: dc=vacif,dc=com)

-> Click Test connection -> Click Save

Step 6: Adjust Service configuration to firewall authentication with AD server

Authentication -> Services

In the Firewall authentication methods section

  • Click on your AD and uncheck Local
  • In the Default group section: Select the OU you have added

-> Click Apply

Step 7: Configure STAS on XG Firewall device

  • Authentication -> To turn on STAS by selecting ON and press Active STAS
  • After activate, choose Add New Collector
  • Enter the IP of AD Server in Collector IP -> Click Save
Sophos Xg Azure Ad

Step 8: Create firewall rule to using authentication STAS

  • STAS -> Click Add Firewall rule to create firewall rules, control traffic by user

Step 9: Verify user

YOU MAY ALSO INTEREST

Inspiration for this post, was taken from: https://rieskaniemi.com/azure-mfa-with-sophos-xg-firewall/

Some of the things that I’ve seen at work, is that Sophos XG VPN users are using one token for Sophos SSLVPN and another for ex. Office 365 services. Both tokens can be in Microsoft Authenticator, but only the one that Office 365 is using, can do the “pop-up”, letting the user easy sign-in, like this:

Nonetheless it’s easier for the IT dept. (and the user!) to maintain only one token solution 🙂

Sophos Xg Azure Ad Connect

Here is the auth flow for Azure MFA with NPS Extension:

Nice isn’t it 😉

So how to fix?

We setup Sophos XG for RADIUS validation for SSLVPN and UserPortal access, and if you use the built-in OTP solution, disable that 🙂

To get started:

  • If you do not have MFA enabled for your Office 365/Azure AD account’s you can enable it through following link: https://aka.ms/mfasetup
  • And of course you need to have set Azure AD Connect to get your on-premise talking with Azure, I will not go into the details with this here, as I assume this is already setup and working 🙂

Let’s go:

  1. Install the Network Policy Server (NPS) role on your member server or domain controller. Refering to the Network Policy Server Best Practices, then you will find this “To optimize NPS authentication and authorization response times and minimize network traffic, install NPS on a domain controller.” So we will go ahead and place this on the domain controller, but remember it’s also possible to do it on a domain joined member server!

  2. Press “Next” and the installation begins:

  3. After installation has ended, go and join the NPS to the Active Directory, right-click NPS (Local):
  4. Download and install the NPS Extension for Azure MFA here:
    https://www.microsoft.com/en-us/download/details.aspx?id=54688
    Note: As i did try this on a server with already setup NPS, it failed with the other mechanisms, because of this:
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#control-radius-clients-that-require-mfa

    Control RADIUS clients that require MFA

    Once you enable MFA for a RADIUS client using the NPS extension, all authentications for this client are required to perform MFA. If you want to enable MFA for some RADIUS clients but not others, you can configure two NPS servers and install the extension on only one of them.

    Configure RADIUS clients that you want to require MFA to send requests to the NPS server configured with the extension, and other RADIUS clients to the NPS server not configured with the extension.”

    So the “workround” is to run the MFA for the Sophos on a seprate NPS instance 🙂

  5. After it’s installed, go and follow the configure is like it’s stated here (Find TenantID and run Powershell script):
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#azure-active-directory
  6. Go and configure your radius Client, here it’s the XG:

    Remember the secret, we need it later on 🙂

  7. Create a “Connection request policy”:


    Type here the IP of the XG

    Just set like above, and the rest of the settings, just leave them to their defaults 🙂

  8. Now create a “Network Policy”

    Add a domain group, that shall have this access, to simplify, here I have choose domainDomain Users
    Now the EAP types, XG does only support PAP, as far as I have tested:


    You will get a warning telling you that you have choosen unencrypted auth (locally – not on the Internet!), just press OK.
    Just left the rest to their default’s and save the policy.

  9. Now to create a firewall rule:
  10. Now to setup the XG for this:

    Press ADD:

    Remember to choose RADIUS:

    Fill in as your environment matches:

    Type in the secret you wrote down earlier and create a host object for your NPS, also remember to change the timeout from 3 to 15 secs!

    New torrent app. You can now test is the authentication through NPS and Azure MFA is working, change Group name attribute to “SF_AUTH”

    Press the TEST CONNECTION butoon:

    type in a users username (e.mail adress) and password, and your phone should pop-up with Microsoft Authenticator 🙂

    You should see this soon after you accept the token:

  11. Now head over to the Authentication –> Services section:

    Add the new RADIUS server to:
    – User portal authentication methods
    – SSL VPN authentication methods

    Also make sure that the group your AD / RADIUS users are in, is added to the SSLVPN profile:

  12. Now login to the User Portal and download a VPN client (You cannot use the old ones, if you already had thoose installed)
  13. Now connect through VPN, type in your full email in username and your password, then wait for MS Authenticator to pop-up, accept the token and you are logged into VPN 🙂

Sources:

Sophos Utm Azure Ad Authentication

Related Posts