Configuring Active Directory Access

On this page of a joined Web Appliance, most of the options are unavailable because they are controlled from the Management Appliance. The main exception is Configure Active Directory settings locally, which is described below.
Important
Firewall Configuration: If you have a firewall between the appliance and your Active Directory server, you need to ensure that ports 88 and 389 are open for both TCP and UDP, and that ports 445 (raw SMB) and 139 (NetBIOS over TCP/IP) are open for TCP on that firewall in order to perform Active Directory authentication.

Requirements for an Active Directory Forest: Sophos supports the integration of an Active Directory forest with the appliance only if the following conditions apply:

  • Integrate with only a single Active Directory forest containing a single Active Directory tree.
  • The Active Directory server to which you configure access must be the root domain controller of the Active Directory forest.
  • The root domain of your Active Directory forest must have an explicit trust relationship with all subdomains within the forest. If this condition does not exist, users will be able to authenticate, but the appliance will not be able to synchronize Active Directory groups membership information, which will result in all affected users having only the default Web Appliance policy applied to them.
  • The Active Directory administrator account that you use to access the Active Directory forest must have valid credentials on all subdomains for authenticating users and accessing LDAP information.
  • In addition to the firewall configuration described above, you must ensure that port 3268 is open for both TCP and UDP between your appliance and your Active Directory server, that use of the global catalog is properly configured on your Active Directory server, that TCP access from the appliance to your Active Directory server, and that bi-directional UDP traffic between the two is allowed. Also, port 389 must be open between the appliance and all domain controllers within the Active Directory forest.
  • Ensure that the domain controllers have the global catalog enabled, including on any backup domain controllers. If you do not, problems may occur when the appliance attempts to synchronize: your users may complain about authentication pop-ups that repeatedly fail, and the subdomain groups may disappear from the Configuration > Group Policy > Default Groups page. Although this situation may resolve itself automatically in certain circumstances, it will likely recur. Enabling the global catalog on all domain controllers, including those configured as backup domain controllers on your Active Directory server, is the only complete solution for this problem.
  1. Near the top of the page, next to User authentication via Active Directory, click On.

    The three Active Directory Settings text boxes in the leftmost column become available.


    Note: On a joined Web Appliance, the On/Off button is not functional. It only shows the status as set on the Management Appliance.

  2. [Optional] On a joined Web Appliance, you can change some of the Active Directory settings to access a different domain controller by selecting the Configure Active Directory settings locally check box.

    Joined Appliance Considerations

    The setting to Configure Active Directory settings locally is only available on a joined Web Appliance. It is typically used to access a local Primary Domain Controller in a branch location instead of the main Domain Controller in the central office. The settings are similar to those required on an appliance that is not joined and are documented in steps 3 and 4. Read the remainder of this section for information about configuration differences. Once these steps are complete, you must verify and apply the settings on the joined appliance, as described in steps 5 and 6.

    When Configure Active Directory settings locally is selected, only the Username and Password text boxes are functional, allowing you to set a different Active Directory account for accessing Active Directory authentication. LDAP user data is not synchronized on a joined Web Appliance; this data is synchronized on the Management Appliance only and downloaded to the joined Web Appliances.

    Active Directory access from a joined Web Appliance is for authentication only, LDAP synchronization is only performed by the Management Appliance.

    On a joined Web Appliance with the Configure Active Directory settings locally check box selected and the Auto-detect advanced settings check box cleared, only the Primary Domain Controller and Active Directory Kerberos server text boxes are functional, allowing you to select a different Active Directory server. The server that you select must not be a child domain of the Active Directory domain, although it can be a secondary Domain Controller.


  3. Enter the Active Directory Settings required to access the server:
    • Active Directory domain: Enter the domain name of your organization's Active Directory server.
    • Username: Enter the username to access the Active Directory server.
      Important
      To connect the appliance to an Active Directory domain, you must use a pre-existing account on the Active Directory server with permissions to join a computer to the Active Directory domain and to authenticate users. Also, if you intend to access the global catalog of an Active Directory forest with a single Active Directory tree, the user account must have permissions to authenticate users in multiple subdomains. Be sure to use an Active Directory account with only the privileges that are required.
    • Password: Enter that user's password.
  4. Enter the Active Directory settings by doing one of the following:
    • Select the Auto-detect advanced settings check box (the associated text boxes are automatically filled).

      Or

    • Ensure that the Auto-detect advanced settings check box is not selected and fill in the remaining text boxes. The six additional text boxes are:
      • Primary Domain Controller: The fully qualified domain name (FQDN) of the desired Primary Domain Controller.
      • Secondary Domain Controller (Optional): A secondary domain controller in case there are problems connecting to the Primary Domain Controller. If an appliance cannot reach the primary controller it will fail over to the secondary controller. If an appliance has joined to the Secondary Controller, the Configuration > System > Active Directory page will display a Revert to Primary button. Use this to reconnect to the primary.
      • Active Directory Kerberos server: The FQDN of the desired Kerberos server. If uncertain, use the same hostname as the Domain Controller. Should be a fully qualified domain name.
        Note
        If you have configured a Secondary Domain Controller, your Active Directory Kerberos server must be the same as your Primary Domain Controller.
      • Active Directory LDAP server: The FQDN of the desired LDAP server, with the port number. If uncertain, use the same hostname as the Domain Controller, with the port number. The port number for a single Active Directory server is usually 389; for an Active Directory server designated as a global catalog server, it is 3268.

        If you enter an incorrect FQDN, the appliance will attempt to auto-detect the FQDN. If you cannot successfully connect to your Active Directory forest, disable Auto-detect advanced settings and manually change the port number for the Active Directory LDAP server to 389 to force the appliance to access the AD server as a single domain.

      • LDAP authentication DN (optional): The LDAP "Distinguished Name" that corresponds to the Username text box. If left blank, the appliance will attempt to discover the correct DN. If you are uncertain, leave this blank.
      • LDAP base DN (optional): The LDAP "folder" under which users can be found. Defaults to the whole domain. If you are uncertain, leave this blank.
      • LDAP account attribute (optional): The LDAP object attribute that contains the "login name" of a user. Defaults to 'sAMAccountName', which is the only correct value for Active Directory LDAP servers. If you are uncertain, leave this blank.
  5. Click Verify Settings.
    If you chose the Auto-detect advanced settings option, the remaining fields of the Active Directory settings are automatically filled. The appliance will first look for an Active Directory global catalog at port 3268. If it can't find that, it defaults to a single-domain Active Directory configuration using port 389.
    Note
    With Auto-detect advanced settings selected, the appliance will choose a domain controller based on the lowest ping time.

    The Detect Settings dialog box is displayed, showing the results of the connection attempt. Successful operations are indicated with a green check mark icon; failed operations are indicated with a red "x" icon. The Detecting subdomains step can also show an orange exclamation mark, which indicates that one or more trusted (child) domains could not be synchronized. To the right of the Detecting subdomains verification item is a Show details button, which you can click to view the results of attempts to connect to the subdomains of your Active Directory forest. The subdomains are listed in one of two groupings: Authentication Successful or Authentication Failed.

    If there are failed operations in the Detect Settings process, a troubleshooting message is displayed below the list of verification checks. This message links to explanatory text that will assist you in correcting the problem. If you encounter failed operations, read the troubleshooting message, then Close the Detect Settings dialog box, correct the Active Directory Settings in the left column, and click Verify Settings again.

    When all Verify Settings operations are successful, all of the required Active Directory text boxes are filled.

    Important
    If the verification of a connection to an Active Directory subdomain fails because that server is down at the time that you run the verification, bringing the server back up will not enable Active Directory synchronization with the appliance. You must have a successful Verify Settings operation for any connection to a subdomain server to enable communications between it and the appliance.
  6. Click Apply.
  7. [Optional] Click Synchronize Now to have the appliance immediately synchronize user and group information with the configured Active Directory server. This can only be done after steps 4, 5 and 6 have been completed successfully.