Configure End User Portal for Authenticated User Access in Sophos UTM

  • Article ID: 115305
  • Rating:
  • 3 customers rated this article 3.0 out of 6
  • Updated: 13 Feb 2014

The Sophos User portal can be used to allow your UTM clients access to functions such as Email quarantine, whitelists, and Remote access VPN setups.

In order to control access to the user portal either local or back end authentication can be configured.

This article will deal with User Portal access using Active Directory or LDAP back end authentication servers.

Applies to the following Sophos product(s) and version(s)

Sophos UTM Software Appliance

1. Preparation:

  • Determine from Windows Server the DN for the binding user and for the Base DN
  • Add a DNS entry on your Windows Domain Server

On the Astaro:

  • Define the Host IP of the server offering AD and/or LDAP services *Configure User Authentication with Active Directory or LDAP *Create a new users group for automatically-created users authenticated by AD or LDAP *Configure the User Portal ----

2. Determine from Windows Server the DN for the binding user and for the Base DN

If you pick a user with administrative rights, you will be able to configure either or both LDAP and AD. You will need the full, exact Distinguished Name (DN) for the UTM to be able to work with AD or LDAP services. To determine the notation needed open a Command Prompt on the server running the AD services. In my case, I have a separate login for me when I want to be an administrator, bob2, so I ran the following command:

dsquery user –name b*

Among the responses was the one I was looking for:

"CN=bob2,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Ourdomain,DC=local"

Because I want to be able to use pre-existing AD groups to fine-tune the HTTP Proxy and to limit use of the Portal to select users, I’ll set the Base DN for my AD as:

"OU=MyBusiness,DC=Ourdomain,DC=local"

3. Add a DNS entry on your Windows Domain Server

It is likely that you have a hostname for the IP of the External interface of the Astaro; for example, mail.ourdomain.com. There’s a way for that to point at the internal interface of the Astaro for users inside the firewall, normally including anyone who has VPN’d in via Sophos Remote Access.

This assumes that internal users are set up to check an internal DNS prior to looking for an external one on the internet. On your internal Domain Controller, make sure that in your internal DNS there is an entry in ‘Forward Lookup Zones’ in the ourdomain.com (substitute your domain name) folder that points mail (your sub domain) at the IP of the internal interface on your UTM.

 

4. Define the Host IP of the server offering LDAP and/or AD services

It is likely that you already have created a Definition in Networks for this server. If not, go to Definitions & Users > Definitions > Networks, and click on 'New Network Definition':

  • Name: AD Server (for example)
  • Type: Host Address: 10.0.0.9 (for example)
  • Interface: Any

Don’t forget to hit ‘Save’.

5. Configure User Authentication

Select the Definitions & Users > Authentication Services > Global Settings tab, check the box for ‘Create users automatically’ and hit ‘Apply’.

6. Configure User Authentication with Active Directory

Select the Definitions & Users > Authentication Services > Servers tab and click on ‘New Authentication Server'.

For ‘Backend’, select 'Active Directory'. It is likely that you will want to leave the ‘SSL’ box unchecked and the ‘Port’ unchanged at 389.

The ‘Bind DN’ is the string we captured in the first step above (in our example):

CN=bob2,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Ourdomain,DC=local

Note: Do NOT hit the ‘Test Server Settings’ button yet! You must hit ‘Apply’ after you make any changes to the above and before you touch ‘Test Server Settings’ or your changes will be lost. First, fill in the ‘Base DN’ (in our example):

OU=MyBusiness,DC=Ourdomain,DC=local

Hit ‘Apply’, then ‘Test Server Settings’.

7. Configure User Authentication with LDAP

Select the Definitions & Users > Authentication Services > Servers tab and click on ‘New Authentication Server'.

For ‘Backend’, select ‘LDAP’ tab. For ‘Server’, click on the file folder and drag ‘AD Server’ into the box. It is likely that you will want to leave the ‘SSL’ box unchecked and the ‘Port’ unchanged at 389. Leave the ‘User Attribute’ set on ‘CN’ (Common Name). The ‘Bind DN’ is the string we captured in the first step above (in our example):

CN=bob2,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Ourdomain,DC=local

The ‘Base DN’ is (in our example):

OU=MyBusiness,DC=Ourdomain,DC=local

Hit ‘Apply’. You should get a message that the LDAP settings were saved successfully.

8. Create a new users group for automatically-created users authenticated by AD or LDAP

Select the Definitions & Users > Users & Groups > Groups tab, hit ‘New group’. Name the group "Backend users" (for example).

Select ‘Group type’ ‘Backend membership’. For the ‘Backend’, select ‘LDAP’ or ‘Active Directory’ as appropriate.

If you want to limit the mail users who can access the Sophos User Portal, check ‘Limit to backend group(s) membership’ and indicate which group(s) should have a personal whitelist and access to it.

Hit 'Save'.

9. Configure the User Portal.

From Management > User Portal > Global, click on the folder beside ‘Allowed networks’ then drag ‘Any’ into the box. You may want to restrict this more, but it’s likely you will have people both inside and outside your firewall who will want to access the User Portal.

Select whether you want to allow all users or only a select group or individuals, and hit ‘Apply’.

On the ‘Advanced’ tab in the 'Network Settings' area put mail.ourdomain.com (your subdomain.domain), leave 443 as the standard ‘HTTPS port’1 and hit ‘Apply’.

Your AD/LDAP users can now use the portal at https://mail.ourdomain.com/.

1Beginning with V7, Sophos moved WebAdmin access from port 443 to 4444 because many sites DNAT https traffic to an internal server. Our standard approach has been to create an additional IP on the External interface when we wanted to do things like offering Outlook Web Access via https. If it’s impractical for you to do this, then you’ll need to change the port. Example change to 1443 and: https://mail.ourdomain.com:1443/.


Attribution:

This article was submitted by Robert H. Alfson (Bob), MediaSoft Inc.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments