Group membership behavior with Active Directory

This topic explains the group membership behavior in Sophos Firewall when you integrate Active Directory with Sophos Firewall and you've imported Active Directory groups to Sophos Firewall.

Overview

This section explains how group membership works when you integrate Active Directory with Sophos Firewall and import groups.

When a user belongs to multiple groups in Active Directory, Sophos Firewall maps the user to only one group based on the group's order by searching the group list following a top-down approach. The first group that matches is assigned to the user and its policies are applied. This group is the user's Sophos Firewall primary group.

Every user must belong to a group. If a user doesn't have a group then Sophos Firewall assigns it to the default group. You can see the default group under the firewall authentication methods section when you go to Authentication > Services.

In Active Directory, the default primary group for a user is Domain Users. Active Directory primary groups aren't synced with Sophos Firewall because Active Directory doesn't send the primary group. If you change the user's primary group, this leads to a different membership behavior in Sophos Firewall.

How Sophos Firewall manages the groups it imports from Active Directory

Sophos Firewall attaches a user to all imported groups, but it can't show the administrator all the user and group attachments. The groups are shown as empty on the web admin console, but the attachment is listed in the database in the background.

Some modules only work with the Sophos Firewall primary group, and some modules work with all backend groups.

Common modules that support all backend groups are as follows:

  • Firewall policies
  • TLS Policies
  • Web Filter policies
  • SSL Remote access VPN
  • Policy tester

Common modules that support only the Sophos Firewall primary group are as follows:

  • Hotspot
  • WAF
  • IPsec Remote access

Configure Active Directory with Sophos Firewall

To configure Active Directory with Sophos Firewall, do as follows:

  1. Integrate Sophos Firewall with Active Directory. See Configure Active Directory authentication.
  2. Import Active Directory groups to Sophos Firewall. See Configure Active Directory authentication.

    In this example we've imported three groups: Group A, Group B, and Group C. As shown in the image below, Group A is the first in the list of imported groups.


    Active Directory groups imported into Sophos Firewall

    When you import groups into Sophos Firewall, users that belong to these groups aren't imported instantly. Each user is imported the first time they authenticate with Sophos Firewall.

  3. Create a firewall rule to control internet access for your recently imported groups (Group A, Group B, and Group C). See Add a firewall rule.

    See the example firewall rule below.


    Firewall rule for recently imported groups

Check which group a user is mapped to if their primary group is domain users

Verify the user's group settings on the Active Directory server, then verify the user's group in Sophos Firewall.

Note The steps you take differ depending on your operating system or operating system version.
  1. In Windows, open Administrative Tools.
  2. Right-click the user, select Properties and go to Member Of.

    The user belongs to Group A, Group B, Group C, and its primary group is Domain Users.


    User properties tab in Active Directory
  3. Ask the user to sign in to the captive portal.

    Captive portal sign-in page

    Once the user is successfully authenticated, they're imported into Sophos Firewall and mapped to the first group in the list, which is Group A.

  4. On Sophos Firewall, go to Authentication > Users and verify the user's group.

    Authentication group on Sophos Firewall

Check which group a user is mapped to if their primary group isn't domain users

If the primary group is a named group in Active Directory (for example, Group A), then the user won't be in that group in Sophos Firewall but the next group that matches in the list (for example, Group B).

In this example, you change the user's primary group on the Active Directory server, then verify the user's group in Sophos Firewall.

Note The steps you take differ depending on your operating system.
  1. In Windows, open Administrative Tools.
  2. Right-click the required user, select Properties and go to Member Of.
  3. Change the primary group to Group A.

    The user's primary group is A.


    User properties tab in Active Directory
  4. Ask the user to sign in to the captive portal.

    Captive portal sign-in page

    Once the user is successfully authenticated, they're imported into Sophos Firewall and mapped to Group B. Active Directory doesn't send information to Sophos Firewall about the user's primary group (Group A). The user is mapped to Group B, as it's next in the list defined in Sophos Firewall.

  5. On Sophos Firewall, go to Authentication > Users and check the user's group.

    Authentication group on Sophos Firewall