Antivirus and Security Software from Sophos

Psst, Mac user! We have a free Mac anti-virus just for you.

Online support

Product maintenance

Contact support

Support services

Resource centers

UK IT Security Events

Get the low-down on our cup winning security solutions to provide you with a defence dream team

Sophos Email Appliance: Active Directory support

This article describes how to configure access to your Active Directory server, so that the Sophos Email Appliance can use your Active Directory data. The Appliance can use this data for end-user authentication, to apply mail filtering policies to Active Directory user groups, and to use Active Directory email aliasing.

This article describes how to:

To detect and configure Active Directory settings

From the Configuration page, select System|Active Directory.

You can configure Active Directory integration automatically or manually.

To automatically detect and configure Active Directory settings

  1. Click 'Detect Settings'. The 'Detect Settings' dialog box is displayed.
  2. In the displayed fields, enter the information required to access the server:
    • Server: enter the hostname or IP address of your organization's Active Directory server.
    • Username: enter the username required to access the Active Directory server.
    • Password: enter that user's password.
  3. Click 'OK' to poll the Active Directory server for the settings information. If successful, the Appliance will:
    • connect to the server
    • detect the Active Directory settings
    • display the message "Detect settings complete".
  4. In the 'Detect Settings' dialog box, click 'OK'.
    The dialog box closes and the Active Directory settings text boxes are filled with the required information.
  5. Set the synchronization interval from the dropdown menu.
    If new users are added in Active Directory and Active Directory server access has been configured in this page, then mail for the new users will be rejected until a synchronization has been done. It is therefore advised that you set the synchronization interval to a short time period, such as one hour, to minimize unwanted message rejections.
  6. Use the 'Enable recipient validation via Active Directory' check box to set whether you want to use this feature. If selected, the ES4000's mail transfer agent (MTA) uses Active Directory queries to determine if messages are addressed to valid recipients. If this option is not selected, the MTA uses SMTP recipient validation, whereby the MTA connects to the internal mail server to confirm that an address exists.
  7. Click 'Apply' to commit configured options, or click 'Cancel' to discard any changes.

If the auto-detect settings operation fails, complete the additional steps described below.

  1. Review the information in the Active Directory settings text boxes to ensure that those are the settings that you want to use. If not, override them by entering the information that you prefer, and then click 'Verify Settings'.
  2. The 'Verify Settings' dialog box is displayed and shows the results of each verification step. If the verification is successful, click 'OK' in the dialog box to close it. If the verification fails, correct your information and retry the verification.
  3. Perform steps 5-7 as above.

To manually detect and configure the Active Directory settings

  1. Enter the required information in the Active Directory settings text boxes:
    • Active Directory server: the fully qualified hostname of the server used for Active Directory lookups.
    • Password: the password required for Active Directory lookups.
    • DN to authenticate: the distinguished name (DN) used to connect to the Active Directory server. It is used to query the DN of the user the system is attempting to authenticate.
    • Active Directory port: the port number of the server used for Active Directory lookups. If the Active Directory global catalog (GC) is used, the port is 3268. Otherwise, the default port is 389
    • Email attribute: the object attribute for email addresses in Active Directory. The default is "mail".
    • Email alias attribute: the object attribute for proxy addresses in Active Directory. The default is "proxyAddresses".
    • Base DN for users/groups: the top Active Directory node from which searches are performed.
    • Account attribute: the Active Directory object attribute that is queried when logging into the 'End-User Web Interface'. The default is "sAMAccountName".
    • Group name attribute: the Active Directory object attribute that is queried when configuring a policy rule with specific group names.  The default is "name".
  2. Click 'Verify Settings'.
    The 'Verify Settings' dialog box is displayed and shows the results of each verification step. If the verification is successful, click 'OK' in the dialog box to close it. If the verification fails, correct your information and retry the verification.
  3. Set the synchronization interval from the dropdown menu.
  4. Use the 'Enable recipient validation via Active Directory' check box to set whether you want to use this feature. If selected, the ES4000's mail transfer agent (MTA) uses Active Directory queries to determine if messages are addressed to valid recipients. If this option is not selected, the MTA uses SMTP recipient validation, whereby the MTA connects to the internal mail server to confirm that an address exists.
  5. Click 'Apply' to commit configured options, or click 'Cancel' to discard any changes.

To manage Active Directory user groups in the Appliance

From the Configuration page, select Accounts|User Groups.

To add Active Directory groups

  1. In the 'Select groups from Active Directory' table, click 'Add'. The Active Directory dialog box is displayed.
    (Use CTRL-click to select more than one group, or SHIFT-click to select a range of groups.)
  2. In the 'Available Groups' list, select the group(s) that you want to add, and click the right arrow button.
    The groups are added to the 'Selected Groups' list.
    • To remove groups from the 'Selected Groups' list, select the group(s), and click the left arrow button.
  3. Click 'OK' to save your changes, or click 'Cancel' to abandon the operation without making any changes.

To remove Active Directory groups

In the 'Select groups from Active Directory' table, select the check box beside the account that you want to remove, and click 'Delete'.

Using Alias support

  • When 'Alias support from Active Directory' is enabled, 'Enabled' appears in bold and a 'Disabled' button is displayed. Click 'Disabled' to quit using alias support from Active Directory.
  • When 'Alias support from Active Directory' is not enabled, 'Disabled' appears in bold and an 'Enabled' button is displayed. Click 'Enabled' to use alias support from Active Directory.

You also have the option of managing groups manually. For more information, refer to the Appliance Help.

If you need more information or guidance, then please contact technical support.