The Active Directory Syncronization feature on the Sophos Web Appliance fails intermittently.
Possible symptoms include:
- Intermittently users are prompted for authentication when browsing the web. If the user enters their Active Directory credentials browsing does not always proceed
- Intermittently you receive warnings regarding Active Directory syncronization
- Sometimes when you attempt to 'Verify Settings' on the 'Configuration > System > Active Directory' page this will fail. Other times it may succeed, or it may fail at differant stages.
Known to apply to the following Sophos product(s) and version(s)
Sophos Web Appliance
This issue can occur when there are incorrect entries in the DNS A record for your domain name, or for the FQDN of your Domain Controllers.
When attempting to join the domain or sync with the specified Domain Controller, the Sophos Web Appliance may use the wrong I.P. address, causing intermittent problems.
What to do
Firstly, test to confirm you are affected by the issue:
- Login to the Web Appliance
- Go to 'Configuration | Network | Network Diagnostics'
- Perform a DNS lookup of your domain name. Eg. mydomain.tld
- This DNS record should contain only valid I.P. addresses for Domain Controllers of this Domain
- Also, perform a DNS lookup on the FQDN of each Domain Controller in the directory. Eg. dc1.mydomain.tld
- This DNS record should contain only valid I.P. addresses for this Domain Controller
In addition to the above requirements, you must ensure that the following Firewall and Directory requirements are met: http://wsa.sophos.com/docs/wsa/swa_docs/ws1000/tasks/ConfigSysActiveDirectoryAccess.html
If your domain name or Domain Controller FQDN does resolve to incorrect I.P. addresses, use one of the following methods to resolve the issue.
A) Modify your DNS records so these resolve to correct I.P. addresses only. Ensure that these changes are replicated on the primary DNS server for the Sophos Web Appliance.
B) On the Web Appliance, Use the 'Hostname to address map' in 'Configuration | Network | Network Interface | Advanced''. This feature can be used to override the DNS results.
The following article describes how to correctly configure the Hostname to Address Map for Active Directory: http://esa.sophos.com/docs/wsa/swa_docs/ws1000/tasks/ConfigNetNetworkIntrfcAdvanced.html