Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=authentication-server-AD-add

Add an Active Directory server

You can add an Active Directory server for user authentication. Do as follows:

  1. Go to Authentication > Servers and click Add.
  2. In Server type, select Active directory.
  3. In Server name, enter a name for the server.
  4. In Server IP/domain, enter the IP address of the AD server.

  5. In Connection security, select one of the following options:

    • Plaintext: Send user credentials as unencrypted plain text.
    • SSL/TLS (Default): Use Secure Sockets Layer/Transport Layer Security to encrypt the connection.
    • STARTTLS: Upgrade a non-encrypted connection by wrapping it with SSL/TLS after or during the connection process. Uses the default port.

    Note

    We recommend using an encrypted connection.

  6. Enter the Port you want to use for the server.

  7. Enter the NetBIOS domain for the server.

  8. Enter an ADS username to query the server.

    Tip

    Any domain-joined user account can query, search, and read AD group membership. These rights are sufficient to import groups from the AD server.

  9. Enter the Password for the ADS user.

  10. Select Validate server certificate if you want the firewall to validate the certificate when connecting to the external server.

    Note

    If you turn this option on, you must take the following steps:

    • Upload the AD server certificate to the firewall in Certificates > Certificates > Add > Upload certificate, or the connection to the AD server will fail.
    • In Server IP/domain, enter the CNAME as shown in the AD server's server certificate. If the firewall can't directly resolve the CNAME, add a DNS host entry for that domain in Network > DNS > DNS host entry. See Add a DNS host entry.

  11. Enter a Display name attribute for the server. Users see this as the server name.

  12. Enter an Email address attribute. This is the alias for the configured email address, which the firewall shows to the user.
  13. Enter your Domain name.

  14. Enter the Search queries to run on the server. Click Add and create an LDAP query.

    Note

    Only users selected by the Search queries appear in Live Users.

  15. Click Test connection to validate the user credentials and check the connection to the server.

    Note

    When you configure synchronized user ID and STAS, the authentication server uses the mechanism from which it receives the sign-in request first.

  16. Click Save.

Go to Authentication > Services and select servers to use for service authentication.

More resources