Skip to content

Web authentication

You can use Active Directory SSO or the captive portal to authenticate users. Users will then appear in logging and reporting and will be used as matching criteria in firewall rules and web policies.

Active Directory single sign-on (SSO) attempts to silently authenticate users signed in to endpoint devices with Sophos Firewall without user interaction.

The captive portal is a web page that requires users behind the firewall to authenticate when attempting to access a website. You can also define the behavior and layout of the captive portal.

Captive portal URL: https://<IP address of Sophos Firewall>:8090

After authenticating with the captive portal, Sophos Firewall allows users to proceed to their requested destination or redirects them to a URL that you specify.

To view authenticated users, go to Current activities > Live users.

Authorize unauthenticated users for web access

The settings that you specify here are implemented based on the firewall rules and the web policies for unknown users and authenticated users and user groups.

Firewall rule setting: Use web authentication for unknown users Behavior
On For unauthenticated web requests that match the firewall rule, the users will be authenticated.
Off Unauthenticated requests are allowed. If the requests are blocked due to the web policy, users will be authenticated.
Reason for authentication AD SSO configured Behavior
Firewall rule applies. Yes When unauthenticated web requests are made, AD SSO attempts to silently authenticate users signed in to endpoint devices. If authentication fails, requests are redirected to the captive portal. Once the users are authenticated, the page is reloaded and the users’ web policy is re-evaluated.
A web policy specified for unknown users or groups applies and is set to Block. Yes
Firewall rule applies. No When unauthenticated web requests are made, the requests are redirected to the captive portal.
Web policy for unknown users or groups is set to Block. No When unauthenticated web requests are blocked, a block page is displayed. You can show the captive portal link on the block page.

Sophos Firewall supports two AD SSO mechanisms, NTLM and Kerberos. Kerberos is faster and more secure than NTLM, but has more prerequisites.

Option Description
NTLM only Includes only NTLM in authentication headers. Use this option if you have legacy clients that can’t handle Kerberos headers.
Kerberos & NTLM Default

Includes both NTLM and Kerberos in authentication headers. Browsers choose which mechanism to use.

Note

If Active Directory is configured, you can turn on access to AD SSO from specific network zones, for example, LAN. Go to Administration > Device access and select the zones under Local service ACL.

Captive portal behavior

Specify the captive portal settings.

Shows the user portal link on the captive portal page.

Show web page after sign-in

Redirects users after authentication to the page they’ve requested or a custom page.

Open web page

Option Description
In new browser window Opens the web page in a new browser window. The captive portal page remains open.
In captive portal window Opens the web page in the current tab, replacing the captive portal page.

Web page

Option Description
Originally requested by user Opens the web page originally requested by the users before they were redirected to the captive portal.\
Custom Specify a page to which the users are redirected. For example, open an internal home page after the sign-in.

Sign out user

Option Description
When captive portal page is closed or redirected Signs out users when they close the captive portal tab or open another page in its tab.
When user is inactive Specify the amount of data transfer within a time frame for a user to be considered active.
Never Users aren’t signed out.

Use insecure HTTP instead of HTTPS

Allows users to access the captive portal through HTTP.

We recommend that you use HTTPS. Transmitting unencrypted passwords over a network poses a severe security risk.**: Sophos Firewall comes with a preinstalled locally-signed HTTPS certificate. To prevent browser certificate warnings, you can replace it with a certificate that you’ve generated (and distributed to ensure client trust) or purchased from a certificate authority.

To save changes, select Apply.

Captive portal appearance

You can customize the appearance and content of the captive portal. For example, you can specify your company logo and custom text. Select the Preview button at the bottom to see what the page will look like to users.

Option Description
Default layout Uses the default Sophos layout.
Custom HTML Select to edit the HTML and CSS code. You can also use JavaScript.

The code must contain the following element: <div id="__loginbox"></div>. The system will render the required user input elements in the div element.
Default logo Uses the Sophos logo.
Custom logo Select to use your own logo. Upload an image or enter a link to your logo.
Sign-in page header HTML Enter the text to be shown above the sign-in box. You can use HTML.

Use Header and footer text color to customize the font color.
User prompt You can change the default text.
Username field label You can change the label of the username field.
Password field label You can change the label of the password field.
Sign-in button label You can change the label of the sign-in button.
Sign-out button label You can change the label of the sign-out button.
User portal link label You can change the name of the user portal link.
Sign-in page footer HTML Enter the text to be shown below the sign-in box. You can use HTML.

Use Header and footer text color to customize the font color.
Background color You can change the background color of the full page.
Header and footer text color You can change the font color of the header and the footer. It will be visible only if you’ve specified a header or footer.
Custom logo background color You can change the background color of the box that contains the logo.
User prompt text color You can change the font color of the user prompt.
User portal link text color You can change the font color of the user portal link.

To save the settings, select Apply.

To erase custom settings, select Reset to default.

More resources

Back to top