Group membership behavior with Active Directory

When you integrate Active Directory with XG Firewall and import the AD groups, XG Firewall lists the groups based on the group import order from Active Directory.

Overview

When a user belongs to more than one Active Directory group, XG Firewall applies some policies based only on the user's mapped group. It applies some rules and policies by evaluating group memberships until it finds a match. It evaluates all the user's groups if it doesn't find a match. For more details, see How XG Firewall applies rules and policies to groups below.

How groups are imported from Active Directory

Importing groups: XG Firewall imports all the groups except the primary group from Active Directory. Active Directory doesn't add the primary group information to the user and group attributes. So, it doesn't export the default (Domain Users) or custom (example: Group A) primary groups to XG Firewall.

On Active Directory, don't specify a primary group to which you want to apply rules and policies.

Adding users: Users aren't imported when you import the groups. XG Firewall adds each user when it authenticates them for the first time. It then adds the user to the groups the user belongs to. For more information about how XG Firewall applies rules and policies to users, see the following section: How XG Firewall determines users' group membership.

Default group: If no AD-assigned group exists on XG Firewall for a user, the firewall assigns the user to the default group (Open group). You can select a different default group on Authentication > Services under Firewall authentication methods.

How XG Firewall determines users' group membership

Group order: XG Firewall lists groups in the order in which you've imported them from Active Directory. You can also create groups manually on XG Firewall. To change the groups' order, go to Authentication > Groups and click Reorder.

User's groups: Each time XG Firewall authenticates a user, it gets the user's group list from Active Directory. It looks for an AD group (in the AD group order) match with an XG Firewall group (based on the XG Firewall group order). The first matching group becomes the user's mapped group. The others become the user's Other group memberships. If XG Firewall doesn't find any matching group, it adds the user to the default group.

To see the mapped group and the other groups to which the user belongs, go to Authentication > Users. The mapped group is automatically selected under Group. All Policies and the remote access SSL VPN policy of the mapped group are automatically shown on this page. You can select a different mapped group. You can select different policies if you want.

How XG Firewall applies rules and policies to groups

To apply some rules and policies, XG Firewall evaluates the groups to which a user belongs until it finds a matching group for the rule or policy. It evaluates the groups in the order shown on the list.

It applies some policies only to the user's mapped group.

Rules and policies for which XG Firewall matches the group after evaluating the user's groups are as follows:

  • Rules
    • Firewall rules, including IPS and application control policies assigned to the firewall rule.
    • WAF rules
    • NAT rules
    • SSL/TLS inspection rules
  • VPN policies
    • Remote access SSL VPN
    • Clientless SSL VPN
  • Other policies
    • SD-WAN routes
    • Web filter policies
    • Policy tester

Policies applied only to the mapped group are as follows:

  • Hotspots
  • VPN policies
    • Remote access IPsec VPN
    • L2TP
    • PPTP

Configure Active Directory with XG Firewall

To configure Active Directory with XG Firewall, do as follows:

  1. Integrate XG Firewall with Active Directory.
  2. Import Active Directory groups to XG Firewall.

    In this example, we've imported three groups: Group A, Group B, and Group C. As shown in the image below, Group A is the first in the list of imported groups.


    Active Directory groups imported into Sophos Firewall

    When you import groups into XG Firewall, users that belong to these groups aren't imported instantly. Each user is imported the first time they authenticate with XG Firewall.

  3. Create a firewall rule to control internet access for your recently imported groups (Group A, Group B, and Group C).

    See the example firewall rule below.


    Firewall rule for recently imported groups

Check which group a user is mapped to if their primary group is domain users

Verify the user's group settings on the Active Directory server, then verify the user's group in XG Firewall.
Note The steps you take differ depending on your operating system or operating system version.
  1. In Windows, open Administrative Tools.
  2. Right-click the user, select Properties and go to Member Of.

    The user belongs to Group A, Group B, Group C, and the primary group is Domain Users.


    User properties tab in Active Directory
  3. Ask the user to sign in to the captive portal.

    Captive portal sign-in page

    Once the user is successfully authenticated, they're imported into XG Firewall and mapped to the first group on the list, which is Group A.

  4. On XG Firewall, go to Authentication > Users and verify the user's group.

    Authentication group on XG Firewall

Check which group a user is mapped to if their primary group isn't domain users

If the primary group in Active Directory is a custom group (for example, Group A), XG Firewall shows the next group on the list to which the user belongs (for example, Group B) rather than the primary group (Group A).

In this example, you change the user's primary group on the Active Directory server, then verify the user's group on XG Firewall.

Note The steps you take differ depending on your operating system.
  1. In Windows, open Administrative Tools.
  2. Right-click the required user, select Properties and go to Member Of.
  3. Change the primary group to Group A.

    The user's primary group is A.


    User properties tab in Active Directory
  4. Ask the user to sign in to the captive portal.

    Captive portal sign-in page

    Once the user is authenticated, they're imported into XG Firewall and mapped to Group B because Active Directory doesn't send information about the user's primary group (Group A) to XG Firewall. The user is mapped to Group B, as it's next in the list defined on XG Firewall.

  5. On XG Firewall, go to Authentication > Users and check the user's group.

    Authentication group on XG Firewall