When you specify an email address in the New User dialog box, an X.509 certificate for this user will be generated simultaneously while creating the user definition, using the email address as the certificate's VPN Virtual Private NetworkID Identity. On the other hand, if no email address is specified, a certificate will be created with the user's Distinguished Name (DN) as VPN ID. That way, if users are authenticated by means of a backend group such as eDirectory, a certificate will be created even if no email address is set in the corresponding backend user object.
Because the VPN ID of each certificate must be unique, each user definition must have a different and unique email address. Creating a user definition with an email address already present in the system will fail. The certificates can be used for various remote access methods supported by Sophos UTM with the exception of PPTP Point to Point Tunneling Protocol, L2TP Layer Two (2) Tunneling Protocol over IPsec using PSK Preshared Key, and native IPsec using RSA Rivest, Shamir, & Adleman (public key encryption technology) or PSK.
To add a user account, proceed as follows:
On the Users tab, click New User.
The Add User dialog box opens.
Make the following settings:
Username: Enter a descriptive name for this user (e.g. jdoe). Note that for using remote access via PPTP or L2TP over IPsec, the username may only contain ASCII printable characters1.
Real name: Enter the user's real name (e.g. John Doe).
Email address: Enter the user's primary email address.
Additional email addresses (optional): Enter additional email addresses of this user. Spam emails sent to any of these addresses will be listed in an Quarantine Report, which will be send to the primary email address specified above.
- Local: Select to authenticate the user locally on Sophos UTM.
- Remote: Select to authenticate the user using one of the external authentication methods supported by Sophos UTM. For more information, see Definitions & Users > Authentication Services.
- None: Select to prevent the user from authentication completely. This is useful, for example, to disable a user temporarily without the need to delete the user definition altogether.
Password: Enter a user password (second time for verification). Only available if you selected Local as authentication method. Note that Basic User Authentication does not support umlauts. Note that for using remote access via PPTP or L2TP over IPsec, the password may only contain ASCII printable characters2.
Backend sync: Some basic settings of the user definition such as the real name or the user's email address can be updated automatically by synchronizing the data with external backend authentication servers (only available if you selected Remote as authentication method). Note that the option will automatically be set according to the Enable Backend Sync on Login option on the Authentication Services > Advanced tab, if the user is selected for prefetching.
Note – Currently, only data with Active Directory and eDirectory servers can be synchronized.
X.509 certificate: Once the user definition has been created, you can assign an X.509 certificate for this user when editing the user definition. By default, this is the certificate that was automatically generated upon creating the user definition. However, you can also assign a third-party certificate, which you can upload on the Remote Access > Certificate Management > Certificates tab.
Use static remote access IP (optional): Select if you want to assign a static IP address for users gaining remote access instead of assigning a dynamic IP address from an IP address pool. For IPsec users behind a NAT router, for example, it is mandatory to use a static remote access IP address.
Note – The static remote access IP can only be used for remote access through PPTP, L2TP, and IPsec. It cannot be used, however, for remote access through SSL Secure Sockets Layer.
Comment (optional): Add a description or other information.
Optionally, make the following advanced settings:
Users can create and maintain their own email whitelist and blacklist (see chapter User Portal). You can view those lists here and, if necessary, modify them.
The new user account appears on the Users list.
If you want to make users regular administrators having access to the web-based administrative interface WebAdmin, add the users to the group of SuperAdmins, which is configured on the Definitions & Users > Users & Groups > Groups tab in WebAdmin.
Note – If you have deleted a user object and want to create a user object with the same name, make sure you have also deleted the certificate associated with this user on the Remote Access > Certificate Management > Certificates tab. Otherwise you will get an error message stating that an item with that name already exists.
You can download remote access certificates and/or configurations of users for whom some sort of remote access has been enabled. For that, select the checkbox in front of the respective users and select the desired option from the Actions drop-down list in the list header. Remote access users can also download those files themselves when they are allowed to use the User Portal.