Set up synchronization with Active Directory

Follow these instructions to set up synchronization with Active Directory.

Introduction

Before you can set up synchronization, you need .NET Framework 4.5.2 on the computer where you'll run Active Directory Synchronization Setup.

Warning Before you proceed, make sure all your active directory users are set up correctly with an email address. Users without an email address aren't protected, and email going to an email address not associated with a user isn't delivered.

You need to use Sophos API credentials to synchronize with Active Directory. You need to set these up before you can set up synchronization with Active Directory or change your existing configuration, or sync with Active Directory, see API credentials.

Note You can use your Sophos sign-in credentials to sign in to Active Directory Synchronization Setup and review your existing configuration.
Restriction Some features might not be available for all customers yet.

To set up synchronization with Active Directory, you need to do as follows:

  1. Download Active Directory Synchronization Setup and validate your credentials.
  2. Enter your Active Directory configuration.
  3. Set up your synchronization options.
  4. Synchronize Active Directory.

Validate your credentials

You need to download Active Directory Synchronization Setup and validate your API credentials before setting up Active Directory synchronization. You also need to validate your proxy server settings if you're using a proxy.

To validate your credentials, do as follows:

  1. Click Settings > Active Directory Sync, and click the link to download Active Directory Synchronization Setup. Then run it.
    Active Directory Synchronization Setup starts.
  2. Enter your Client ID and Client Secret and click Validate credentials.
    Note You can't set up Active Directory synchronization if you don't enter and validate your API credentials.
  3. Turn on Configure proxy manually if you want to use a proxy, and enter your Proxy address.
  4. If you're using a proxy, you can turn on additional authentication. Turn on Enable proxy authentication and enter the following information.
    • Proxy user
    • Proxy password
  5. Click Validate credentials to check your proxy settings.

Enter your Active Directory configuration

To enter your configuration, do as follows:

  1. On the AD Configuration page, enter the details for your Active Directory LDAP server and credentials.

    You need to use the credentials for a user account that has read access to the entire Active Directory forest you want to synchronize. To stay secure, use an account with limited rights.

    We recommend using a secure LDAP connection, encrypted using SSL, and leaving Use LDAP over an SSL connection (recommended) turned on.

  2. If your LDAP environment doesn't support SSL, turn off Use LDAP over an SSL connection (recommended) and change the port number. The port number is usually 636 for SSL connections and 389 for insecure connections.

Set up your synchronization options

To set up the options for your synchronization, do as follows:

  1. Click Next and set up your synchronization using the remaining tabs. You can click Finish on any of the tabs if you've finished setting up.
  2. On the AD Filters tab, specify which domains to include in the synchronization. You can enter additional search options (search bases and LDAP query filters) for each domain. You can also specify different options for users and user groups.
    Note Synchronization only creates groups with discovered users or devices, regardless of group filter settings.
    OptionDescription

    Search bases

    You can specify search bases (also called “base distinguished names”). For example, if you want to filter by Organizational Units (OUs), you can specify a search base in this format:

    OU=Finance,DC=myCompany,DC=com

    LDAP query filters

    To filter users, for example by group membership, you can define a user query filter in this format:

    memberOf=CN=testGroup, DC=myCompany, DC=com

    This query limits user discovery to users belonging to “testGroup”. Note that synchronization discovers all groups to which these discovered users belong if you don't specify a group query filter. If you also want group discovery to be limited to “testGroup”, you can define the following group query filter:

    CN=testGroup

    Exclude disabled user accounts

    By default, synchronization excludes disabled user accounts. To include them, turn off this option.

    Note If you include base distinguished names in your search options or change your filter settings, some of the Sophos Central users and groups created during previous synchronizations might fall outside the search scope and are deleted from Sophos Central.
  3. On the Sync Schedule tab, define the times at which synchronization happens.
    Note A background service performs a scheduled synchronization.
  4. If you want to synchronize manually and don't want the synchronization to run automatically, click Never. Only sync when manually initiated.

Synchronize Active Directory

We recommend you manually sync with Active Directory when you set up synchronization or make changes to your settings. This means you can check the changes that will be made during the synchronization.

To synchronize, do as follows:

  1. Click Preview and Sync.
  2. Review the changes that will be made during synchronization. If you're happy with the changes, click Approve Changes and Continue.
    The Active Directory users and groups are imported from Active Directory to Sophos Central