Synchronized user ID authentication

Synchronized user ID authentication uses the Security Heartbeat to provide user authentication for endpoint users.

Synchronized user ID works with Active Directory (AD) configured as an authentication server in XG Firewall, and is currently supported for Windows 7 and Windows 10. No agents are required on the server or clients, nor does it share or use any password information. Synchronized user ID doesn't work with other directory services, and it doesn't recognize local users. Synchronized user ID shares domain user account information from the endpoint device the user is signed in to with XG Firewall via Security Heartbeat. XG Firewall then checks the user account against the configured AD server and activates the user.

Sophos Endpoint Protection passes Windows sign-in information to XG Firewall. XG Firewall uses this information to authenticate against AD, this authentication is used to trigger user-based policies and general user authentication on the firewall.

The XG Firewall synchronized user identity authentication process is as follows:

  1. Users sign in to Windows using their domain credentials, username, password, and domain name.
  2. The XG Firewall heartbeat daemon receives the clients' heartbeat status along with the domain name and username. The domain is taken from the User Principle Name (UPN) of the users’ AD record, and the username is taken from the sAMAccountName.
  3. XG Firewall then checks the correct AD server to serve this sign-in request based on the domain, and looks for the correct username in the XG Firewall user database.
  4. XG Firewall heartbeat forwards the user sign-in request to the Active Directory server.
  5. The signed-in user is displayed on the live user page.

If an endpoint heartbeat is lost or missing, the heartbeat daemon signs out the user from the firewall as a synchronized ID user, however, other endpoint authentication mechanisms may still apply.

For synchronized user ID authentication to work, the following conditions must be met:

  • A Sophos Central account must be linked to XG Firewall.
  • XG Firewall must be connected to the domain controller for AD authentication.
  • The users in the Sophos Central account must have the same profile. For example, in Sophos Central Admin, the user profile must contain the email address used on XG Firewall and in AD.
  • For the local users on XG Firewall, use the same email address as defined in the Sophos Central account.
  • In AD, the domain part of the UPN must exactly match the domain configured for your AD server in XG Firewall.