Azure Sophos

Posted on  by admin
  1. Azure Sophos Xg
  2. Azure Sophos
  3. Azure Sophos Xg Pricing

Sophos made a great article regaring running Sophos XG with Azure AD authentication, here are the steps:

Xg-azure Deployment template to deploy Sophos XG to Azure 14 13 2 2 Updated Jul 2, 2020. Xg-azure-testdrive Azure marketplace Test Drive template for XG Firewall. Sophos made a great article regaring running Sophos XG with Azure AD authentication, here are the steps: Overview. This document is applicable to all the XG Firewalls running all versions. To integrate the XG firewall with Azure AD, we need to create a new service called “Azure AD Domain services”.

This document is applicable to all the XG Firewalls running all versions. To integrate the XG firewall with Azure AD, we need to create a new service called “Azure AD Domain services”.

With this integration, administrators can use Azure AD for the following:

  1. Captive portal authentication of internal firewall users.
  2. Authentication agent for windows, mac, linux.
  3. SSL VPN authentication.
  4. Sophos Connect client.
  5. Use the SSO using the Synchronized security UserID*.

Note: SSO with synchronized security and Azure AD needs to meet some specific requirements which are outside the scope of this document.

Azure AD DS replicates identity information from Azure AD to a Microsoft-operated set of domain controllers, so it works with Azure AD tenants that are cloud-only, or synchronized with an on-premises AD DS environment. The same set of Azure AD DS features exists for both environments.

Azure AD domain services offer an LDAP interface to XG that can replicate the working of an on-premise Active Directory. This article assumes there is an existing Azure AD environment in place.

Table of Contents

  1. Login in to the Azure portal and create Azure AD domain services, this step will take 60-90 minutes to deploy. Please see the documentation from Microsoft on how to deploy Azure AD domain services.
  2. Once the AD domain services are deployed, you should see the health status as “Running”.
  3. Click on Synchronize, you can either select scoped or chose to synchronize all the Azure AD.

    Note: The following step is required for cloud-only user accounts in Azure AD, as the Azure AD account is not synchronized with AD domain services until the user has changed the password by logging in to their office365 login. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD.

  4. Each user needs to login to the Office 365 portal and change the password. If it’s a new user logging into office 365 for the first time, they will be prompted for the password change.
  5. Once the AD domain services are deployed, it’s recommended to enable LDAPs if the firewall is sending LDAP bind request over the internet. For additional security, Sophos recommends creating an IPsec tunnel to Azure over which to bind the LDAP.

    Note: Azure accepts self-signed certificates for this purpose. In this example, we use OpenSSL to generate a self-signed chain of certificates. Azure only accepts certs with “extendedkeyusage for server authentication”.

    Below is the process to generate self-signed Certs with EKU:serverauth:

    • In order to create the Certificate Authority Private Key and Certificate, you first need to create a private key for the CA with the name azureADca.key.

      $ openssl genrsa -out azureADca.key 4096
      Generating RSA private key, 4096 bit long modulus
      ……………………………………………………………………………………………………………………………………….++
      …………….++
      e is 65537 (0x10001)

    • Create the CA certificate to be used to validate signed certificates, called azureADca.pem.

      $ openssl req -x509 -new -nodes -key azureADca.key -days 3650 -out azureADca.pem
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter ‘.’, the field will be left blank.
      —–
      Country Name (2 letter code) []:CA
      State or Province Name (full name) []:ON
      Locality Name (eg, city) []:Burlington
      Organization Name (eg, company) []:<Your org>
      Organizational Unit Name (eg, section) []:Salesengineering
      Common Name (eg, fully qualified host name) []:<Commaon name>
      Email Address []:[email protected]

    • Create a text file and copy/paste the below text. Save the file as “azureAD-eku.conf” or any name of your choice.

      [client_server_ssl]
      extendedKeyUsage = serverAuth

    • Now that this file exists, you need to generate a private key for the LDAP cert with the name “ldapssl_private.key”.

      $ openssl genrsa -out ldapssl_private.key 4096
      Generating RSA private key, 4096 bit long modulus
      ……………………………..++
      ……….++
      e is 65537 (0x10001)

    • Next, create a certificate signing request to sign with the CA you previously created with the name “azureADldapssl.csr” and fill in the following values in yellow.
      $ openssl req -new -key ldapssl_private.key -out azureADldapssl.csr
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter ‘.’, the field will be left blank.
      —–
      Country Name (2 letter code) []:CA
      State or Province Name (full name) []:ON
      Locality Name (eg, city) []:Burlington
      Organization Name (eg, company) []:firewallinabox
      Organizational Unit Name (eg, section) []:Sales Engineering
      Common Name (eg, fully qualified host name) []:<yourdomainname>
      Email Address []:<[email protected]>

      Please enter the following ‘extra’ attributes
      to be sent with your certificate request
      A challenge password []:<Password>

    • You now need to sign the request, while including the signing extensions created earlier. The following command will create the signed cert with the name “azureADcert.crt”.

      $ openssl x509 -req -extensions client_server_ssl -extfile azureAD-eku.conf -in azureADldapssl.csr -CA azureADca.pem -CAkey azureADca.key -CAcreateserial -out azureADcert.crt -days 365
      Signature ok
      subject=/C=CA/ST=ON/L=Burlington/O=firewallinabox/OU=Sales Engineering/CN=firewallinabox.tk/[email protected]
      Getting CA Private Key
      $

    • Convert the certificate into PFX format, as Azure accepts the certs in the PFX format.

      $ openssl pkcs12 -export -out XGazureADcert.pfx -inkey ldapssl_private.key -in azureADcert.crt -certfile azureADca.crt
      Enter Export Password:
      Verifying – Enter Export Password:

    • Next, upload the XGazureADcert.pfx file into Azure AD.
  6. Under Azure AD domain service, navigate to properties and make a note of the following, Secure LDAP external IP address. If you are connecting through an IPsec tunnel, you can use the internal addresses which are 10.201.1.4 and 10.201.1.5 in this example.
  7. Make sure the admin group is selected with the correct administrator group used on the XG to send LDAP bind requests to AD domain services.
  8. In the Azure portal, navigate to Azure AD > Users and make sure the user is part of the AAD DC Administrators group inside Azure AD.
  9. In the Azure portal, navigate to the Network security groups > Inbound security rules, then add a new inbound security rule allowing the LDAPs traffic from your firewalls public IP. (This is optional and only required if you are using an IPsec tunnel for additional security).
  10. The administrator account you will be using on the XG Firewall must be first logged in to Office365, and the password needs to be changed upfront.
  1. Login to the XG Firewall web UI and navigate to Configure > Authentication > Servers > Add and use the following settings we have from the Azure AD domain services.
  2. Import the groups from Azure AD as shown below.
  3. Select the server from the list of authenticated servers from Configure > Authentication > Services.
  4. Test the authentication with the user portal and the login should be successful.

Source: Sophos XG Firewall: Integrate XG Firewall with Azure AD – Recommended Reads – Sophos (XG) Firewall – Sophos Community

Related Posts

Microsoft Azure's dynamic routing gateway requires IKEv2, something Sophos UTM doesn't support, yet. This is a workaround that uses Ubuntu Server and strongSwan to create the VPN and a static route on the UTM to send specific traffic through the VPN on the Ubuntu Server.


Installation Instructions

Azure Sophos Xg

This assumes you have some technical knowledge and are a Sophos UTM user looking for a way to connect multiple locations to your Azure environment.


These instructions start with an Azure environment already configured with a dynamic routing gateway and existing installations of Sophos UTM 9.312-8 and Ubuntu Server 14.04.2 LTS. For testing purposes, the Sophos UTM and Ubuntu Server installations were clean. The Ubuntu Server should have one network connection and internet access. In this case, the DHCP server on the UTM originally provided the Ubuntu Server with an IP address and the UTM is the gateway and DNS server.


The latest .ISO files can be found on the Sophos web site and Ubuntu web site .


The IP addresses and networks shown in these instructions were used for testing purposes and are no longer valid. They include 10.1.10.163 as the external IP address (provided by your internet service provider), 192.168.163.1 and 192.168.163.0/24 as the IP address and subnet used by the UTM for the internal network, 192.168.163.91 as the IP address of the Ubuntu Server, 192.168.168.0/27 as the subnet on the virtual network in the Azure environment, and 138.91.249.225 as the gateway IP address provided by Azure after creating the dynamic routing gateway. Use the addresses and subnets from your network and Azure environment for everything to work properly for you.


After logging in, depending on the version of Ubuntu Server, you may see some useful information, including the IP address. Make note of the address. If it's not displayed, you can use the ifconfig command to look it up.


Use the apt-get update command to download the latest package lists from the repositories. Almost all of the commands in these instructions will require sudo to elevate your privileges. On the Ubuntu Server, the first time you use sudo after logging in or after a period of idle time, you'll be asked for your password again.


If you would like to use ssh to connect to your Ubuntu Server, install OpenSSH server using the apt-get install openssh-server command.


In WebAdmin on your UTM, find the IP address assigned to the Ubuntu Server and add a static mapping to give it an IP address that won't change. Then, restart your Ubuntu Server to get the new IP address.


Use nano (sudo nano /etc/network/interfaces) or your favorite text editor to add the following line to the file /etc/network/interfaces after the settings for the primary network interface:


The file referred to by this line will be created later.


Azure Sophos

Uncomment the line net.ipv4.ip_forward=1 in the file /etc/sysctl.conf. (Remove the # from the beginning of the line.)


Change the 0 to a 1 in the file /proc/sys/net/ipv4/ip_forward.


Create the file /etc/iptables.rules and add the following lines:


Remember to replace the subnet shown, 192.168.168.0/27, with the subnet you want to connect to in your Azure environment.


These rules assume the Ubuntu Server is on a safe network. If you need to protect your Ubuntu Server from possible threats on your local area network or if the Ubuntu Server is not protected by the UTM, you should change them to block unwanted traffic.


Install strongSwan using the apt-get install strongswan command.


Add your external IP address and the gateway IP address and preshared key provided by Azure to the file /etc/ipsec.secrets.


Add the following lines to the end of the file /etc/ipsec.conf:


Leftid is your external IP address and needs to match the external IP address in the file /etc/ipsec.secrets while left is the Ubuntu Server's IP address on your internal network. Rightid and right are both the gateway IP address provided by Azure and rightsubnet is the subnet used by your servers in the Azure environment. These addresses and subnets need to be the correct addresses and subnets from your network and Azure environment for authentication to be successful.


In WebAdmin, add a static route (Interfaces & Routing, Static Routing, Standard Static Routes tab) to forward traffic to and from servers in your Azure environment through the VPN on the Ubuntu Server. While adding the static route, you'll need to add a network definition for the subnet used by the servers in your Azure environment. If you used the DHCP server on the UTM to add a static mapping for the Ubuntu Server, its definition already exists.


Add a NAT rule (Network Protection, NAT, NAT tab) to forward traffic from Azure's gateway IP address, changing its destination from your public IP address to your Ubuntu Server's IP address. Make sure you turn on an automatic firewall rule or manually create a firewall rule (Network Protection, Firewall, Rules tab). Also, make sure your firewall allows VPN-related traffic from your Ubuntu Server to Azure's gateway IP address if it doesn't already. While adding the NAT rule, you'll need to add a network definition for the gateway IP address provided by Azure.

Sophos

Azure Sophos

Use the ipsec secrets command to reload the information from the file /etc/ipsec.secrets. Then, use the ipsec restart command to stop the IKE daemon charon, parse the file /etc/ipsec.conf, and start charon again. The ipsec statusall command will show the status of the VPN.


If you want to get the status of multiple VPNs from Azure, use the Get-AzureVnetConnection command in the Azure PowerShell. (The VNetName would be the name of your virtual network in Azure.)


To test your connection to your Azure environment, ping a linux server in the environment from a computer on your internal network (Windows Server may not respond to ping) or try to Remote Desktop to a Windows Server.


Azure Sophos Xg Pricing

These instructions were written by tech Scott Gumble in hopes that it will help some Sophos UTM users and Sophos partners who need a way to connect one or more UTMs to Azure's dynamic routing gateway.