Sophos Xg Azure Ad

Posted on  by admin

With version 18 Sophos brings changes to RADIUS settings on XG Firewall. We now have possibility to set timeout for authentication and this allows us to use Azure MFA for 2-factor authentication.

  1. Sophos Xg Azure Ad Connect
  2. Sophos Xg Pricing
  3. Sophos Xg Azure Add
  4. Sophos Utm Azure Ad Authentication

Here is few simple steps how to enable this on network policy server and on XG Firewall.

If you do not have MFA enabled for your Office 365/Azure AD account you can enable it trough following link https://aka.ms/mfasetup or use conditional access policy to enforce MFA for user accounts.

XG Firewall Sophos.com. Sophos Central Suggest, discuss, and vote on new ideas for Sophos Central. The unified console for managing your Sophos products. Please raise all product releated feature requests in the respective product forum. Azure ad Allow Azure AD authentication to Sophos Central to gain MFA. A few weeks ago, I installed Sophos XG v18-MR4 on an older AMD A6-7400K based PC (2 cores @ 3.5 GHz). It has 4 GB of RAM, a Samsung SSD and an Intel 82571-based network card. I can get line speed (100/30) with all the bells and whistles (including SSL decryption) on different speed test sites and also torrents. Active Directory Sync. You can import users and user groups using a directory service to Sophos Central. Azure AD Sync Status. Monitor your Azure Active Directory (AD) synchronization. Set up synchronization with Azure Active Directory. Follow these instructions to synchronize with Azure Active Directory.

Only push message trough Microsoft Authenticator App or phone call can be used for 2-factor authentication with SSL VPN/Sophos Connect. To prevent users for selecting any other possible multi-factor authentication method you should disable verification options that are not supported.

To enable or disable verification methods, complete the following steps:

Sophos XG Firewall integrates multiple leading security technologies into a single solution, without compromising firewall security controls:. Deep packet inspection for Azure with IPS, ATP, URL filtering, and in-depth reporting. Bidirectional antivirus for WAF with authentication offloading, path-based routing, and country-level blocking. 1 day ago  Sophos made a great article regaring running Sophos XG with Azure AD authentication, here are the steps: Overview This document is applicable to all the XG Firewalls running all versions. To integrate the XG firewall with Azure AD, we need Read more.

  1. In the Azure portal, select Azure Active Directory, then select Users.
  2. Select Multi-Factor Authentication.
  3. From Multi-Factor Authentication, select service settings.
  4. Unselect Text message to phone and Verification code from mobile app or hardware token
  5. Click Save.

Azure AD Premium P1 license should be enabled on all users using Azure MFA trough RADIUS extension. For more information refer to https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing

Also remind that Network policy server with Azure MFA extension redirects all requests to Azure. Server cannot be used for any other kind of authentication (I.e. 802.1x) after enabling extension.

Sophos Xg Azure Ad Connect

1. Install Network Policy Server role on Windows server. I installed mine on my LAB Domain Controllers.

Sophos Xg Azure Ad

Sophos Xg Pricing

2. Install Azure MFA extension and configure it. Follow guide from Microsoft to enable it.

Download:
https://www.microsoft.com/en-us/download/details.aspx?id=54688

Guide:
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/authentication/howto-mfa-nps-extension

3. Create new RADIUS client with IP address of the Sophos XG Firewall.

4. Create new Connection request policy.

Sophos Xg Azure Add

5. Create new Network Policy

6. Create firewall rule on RADIUS Server to allow connections from Firewall.

7. Add authentication server in Sophos XG Firewall.

8. Test authentication trough RADIUS.

Sophos Utm Azure Ad Authentication

9. Select where you want to use RADIUS as authentication back-end.