Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=c_202007151407520320

Synchronized user ID authentication

Synchronized user ID authentication uses the Security Heartbeat to provide user authentication for endpoint users.

Synchronized user ID works with Active Directory (AD) configured as an authentication server in the firewall and is currently supported for Windows 7 and Windows 10. No agents are required on the server or clients, nor does it share or use any password information. The synchronized user ID doesn't work with other directory services, and it doesn't recognize local users. The synchronized user ID shares the domain user account information from the endpoint device the user is signed in to with the firewall via Security Heartbeat. The firewall then checks the user account against the configured AD server and activates the user.

Sophos Endpoint Protection passes Windows sign-in information to the firewall. The firewall uses this information to authenticate against AD. This authentication is used to trigger user-based policies and general user authentication on the firewall.

Process

The synchronized user ID authentication process is as follows:

  1. Users sign in to Windows using their domain credentials, username, password, and domain name.
  2. The firewall's heartbeat daemon receives the clients' heartbeat status along with the domain name and username. The domain is taken from the User Principle Name (UPN) of the users' AD record, and the username is taken from the sAMAccountName.
  3. The firewall checks the correct AD server to serve this sign-in request based on the domain and looks for the correct username in the firewall user database.
  4. The heartbeat daemon forwards the user sign-in request to the Active Directory server.
  5. The signed-in user is displayed on the live user page.

If an endpoint heartbeat is lost or missing, the heartbeat daemon signs out the user from the firewall as a synchronized ID user. However, other endpoint authentication mechanisms may still apply.

Requirements

For synchronized user ID authentication to work, the following conditions must be met:

  • A Sophos Central account must be linked to the firewall.
  • The firewall must be connected to the domain controller for AD authentication.
  • The users in the Sophos Central account must have the same profile. For example, in Sophos Central Admin, the user profile must contain the email address used on the firewall and in AD.
  • For the local users in the firewall, use the same email address as defined in the Sophos Central account.
  • In AD, the domain part of the UPN must exactly match the domain configured for your AD server in the firewall.

Turn off synchronized user ID authentication

Synchronized user ID authentication is turned on by default. To turn it off, do as follows:

  1. Access the Advanced Shell.

  2. Run one of the following commands:

    • To keep it turned off even after the firewall restarts: touch /content/no_userid
    • To only keep it turned off until the firewall restarts: touch /tmp/no_userid

  3. To restart the access server service, run the following command: service access_server:restart -ds nosync

Warning

The change in status isn't included in backups. You must turn it off again if you restore a backup.

Turn on synchronized user ID authentication

To turn on synchronized user ID authentication, do as follows:

  1. Access the Advanced Shell.
  2. To turn the feature on, run the following command: rm /content/no_userid
  3. To restart the access server service, run the following command: service access_server:restart -ds nosync

Note

If HA cluster is configured, you must turn synchronized user ID authentication on or off from both the devices of the HA cluster.