Getting Started with Sophos

Firewall Authentication

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
FW3515: Getting Started with Sophos Firewall Authentication

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with Sophos Firewall Authentication - 1

 Getting Started with Sophos Firewall Authentication
In this chapter you will learn the RECOMMENDED KNOWLEDGE AND EXPERIENCE
types of users and groups that ✓ Authentication methods that are supported
can be configured for Sophos by Sophos Firewall
Firewall and the methods that
can be used for authentication.

DURATION

30 minutes

In this chapter you will learn the types of users and groups that can be configured for Sophos
Firewall and the methods that can be used for authentication.

Getting Started with Sophos Firewall Authentication - 2

 Authentication Methods
Hotspot
Clientless Users

Precedence Single Sign-On (SSO)

• Synchronized User Identity
• Sophos Transparent Authentication Suite (STAS)
• SSO Client
• VPN
• RADIUS
• Web Authentication (NTLM and Kerberos)

Authentication Agent
Captive Portal

Sophos Firewall supports five main methods for authenticating users, these are:
• Hotspot
• Clientless Users
• Single Sign-On (SSO)
• Authentication Agent
• Captive Portal

This is the order in which authentication is checked for users. Throughout the rest of this chapter,
we will look at some of the most common forms of authentication in more detail.

Getting Started with Sophos Firewall Authentication - 3

Activity
Put the authentication methods in order or precedence

Captive Portal

Authentication Agent

Hotspot

Clientless Users

Clientless Single Sign-On

Getting Started with Sophos Firewall Authentication - 4

 Hotspots

Hotspot type
selection

A hotspot is a portal that controls network access to devices connecting to the network. Hotspots
are typically used to provide guest Internet access in public areas. When you add an interface to a
hotspot, all devices connecting through that interface must authenticate through the hotspot.

Hotspots support a full suite of protection features and authentication methods. You can redirect
users to a captive portal or sign-in page where users must accept terms of usage or authenticate
themselves using a generated password or voucher.

Getting Started with Sophos Firewall Authentication - 6

 Types of User

Clientless Users
Authenticated by IP address
Locally authenticated

Guest Users Temporary users authenticated with a system generated

username and password
Locally authenticated

Users
Authenticate with a username and password
Can be locally or externally authenticated

Sophos Firewall has three types of user.

Clientless users do not authenticate using a username and password, but instead are identified
purely by their IP address. Clientless users are always authenticated locally by the Sophos Firewall.

Guest users are given temporary network access, usually to access the Internet. They authenticate
with a username and password that are generated by the Sophos Firewall and are always
authenticated locally.

Standard users authenticate with a username and password. They can be authenticated locally by
the Sophos Firewall or using an external authentication server such as Active Directory.

Getting Started with Sophos Firewall Authentication - 7

 Clientless users are managed in:
Creating Clientless Users CONFIGURE > Authentication > Clientless users

Typically, you would use clientless users to control network access for servers or devices such as
printers and VoIP phones.

Here you can see an example of two printers being added as a clientless users. You give the devices
a name, specify the IP address and select which group they will be a member of. You will use the
group in the firewall rules to then control the network access the devices have.

Clientless users can also be added in bulk by specifying a range of IP addresses and selecting the
group they will be a member of. You can edit the details for each IP address after adding them.

Getting Started with Sophos Firewall Authentication - 8

 Guest users are managed in:
Creating Guest Users CONFIGURE > Authentication > Guest users

You can create guest users either individually, shown on the left, or in bulk, shown on the right.

There are two main options when creating guest users:

1. How long the credentials will be valid for
2. And whether the time will start as soon as the user is added or when the user first logs in

Using the Print option, you can print the credentials for multiple selected users. This is useful if
someone will be providing these to visitors when they ask for access to the guest Wi-Fi, for
example.

Getting Started with Sophos Firewall Authentication - 9

 Creating Guest Users

All guest users are created with the same settings that can be managed in CONFIGURE >
Authentication > Guest user settings.

Here you can set the group that the user will be added to and the password complexity.

Optionally you can also integrate Sophos Firewall with an SMS gateway to allow guest users to
register for their own access details. This can save significant time where there are large volumes
of guest users such as in hotels and airports.

Getting Started with Sophos Firewall Authentication - 10

 Local users are managed in:
Creating Local Users CONFIGURE > Authentication > Users

Administration Profiles

Select policies to attach

to the user

Local users can also be added to Sophos Firewall. The user types are:

• User: End users who are connecting to the internet from behind the firewall.
• Administrator: Users who have access to firewall objects and settings as defined in an
administration profile.

Policies can also be assigned, such as for internet access and VPN. Those specified at the user level
take precedence over those specified at the group level.

Getting Started with Sophos Firewall Authentication - 11

 Synchronized User Identity
Sophos Firewall gets user ID from endpoints
that are on an Active Directory domain
automatically

Sophos Firewall
Sophos
Security Heartbeat™
Endpoints
Internet

Active Directory Server

Synchronized User Identity leverages the presence of Sophos on the Windows endpoints to
provide transparent user authentication with the firewall by sharing the user’s identity through the
Security Heartbeat connection. This makes authentication seamless, without having to deploy
additional agents onto domain controllers.

Synchronized User Identity is enabled by default for all Windows endpoints that establish a
Security Heartbeat with the Sophos Firewall.

Getting Started with Sophos Firewall Authentication - 12

 Synchronized User Identity

1 Add an Active Directory authentication server on Sophos Firewall

2 Import groups from Active Directory into the Sophos Firewall

3 Enable Active Directory server in Firewall authentication methods

4 Computers with a Security Heartbeat™ will synchronize the user details

For Synchronized User Identity to work, you will need to have added an Active Directory
authentication server on the Sophos Firewall and imported the groups using the wizard.

The Active Directory authentication server must be enabled as an authentication source for the
firewall in CONFIGURE > Authentication > Services.

With this done, all Windows endpoints with a heartbeat to the Sophos Firewall will be
authenticated transparently.

Getting Started with Sophos Firewall Authentication - 13

 Disabling Synchronized User Identity – add link
Sophos Firewall
===============
(C) Copyright 2000-2020 Sophos Limited and others. All rights reserved.
Sophos is a registered trademark of Sophos Limited and Sophos Group.
All other product and company names mentioned are trademarks or registered
trademarks of their respective owners.

For End User License Agreement - http://www.sophos.com/en-us/legal/sophos-end-

user-license-agreement.aspx

NOTE: If not explicitly approved by Sophos support, any modifications

done through this option will void your support.

XG135_XN02_SFOS 18.0.0# touch /content/no_userid

XG135_XN02_SFOS 18.0.0# service access_server:restart -ds nosync
200 OK
XG135_XN02_SFOS 18.0.0#

Synchronized User Identity will work by default if the prerequisites are satisfied, however if you
want to disable it this can be done via the console by creating the file /content/no_userid.

Removing this file will re-enable Synchronized User ID again, however, you do need to restart the
authentication service for this change to take effect.

Getting Started with Sophos Firewall Authentication - 14

 Groups are managed in:
Groups CONFIGURE > Authentication > Groups

Now that we’ve looked at the different types of users, we’ll look at groups. There are two types of
groups: normal and clientless, named for their respective user types.

A group is a collection of users with common policies and can be used to assign access to
resources. The user will automatically inherit all the policies added to the group.

Examples of policies that can be applied to groups include:

• Surfing Quota
• Access Time
• Network Traffic
• and Traffic Shaping
These are configured in SYSTEM > Profiles.

By default, users will inherit their assigned group’s policies. To adjust a group’s assigned policies,
select a policy from the list of available policies while editing or creating a new group. You can also
create a new policy directly from the group page.

Getting Started with Sophos Firewall Authentication - 15

 Group Import from Active Directory

When using Active Directory as an authentication server, users will be created on Sophos Firewall
and assigned to a group when they first successfully login. To use Active Directory groups, use the
import wizard, and users will be assigned to their associated Active Directory group.

Please note that Sophos Firewall groups cannot be nested, and if a user is a member of multiple
groups, they will be added to the first one they match on Sophos Firewall.

Getting Started with Sophos Firewall Authentication - 16

 Additional information in
Web Authentication the notes

Unknown user tries to visit a webpage

Transparent web filtering

Redirect to URL served by Sophos Firewall and User is

send an HTTP_AUTH challenge so the browser recorded
responds with the user credentials against the IP
address for
Direct proxy mode
future
Respond with a PROXY_AUTH challenge so the transactions
browser responds with the user credentials

If user authentication is only required for web filtering, Sophos Firewall can use a proxy challenge
to authenticate Active Directory users with NTLM or Kerberos.

Let’s start by looking at what happens when an unknown user tries to visit a web page. There are
two scenarios:
1. For transparent web filtering Sophos Firewall will redirect to a URL served by the firewall and
send a HTTP_AUTH challenge so that the browser responds with the credentials.
2. In the case of direct proxy mode, Sophos Firewall can respond with a PROXY_AUTH challenge
so that the browser responds with the user credentials.

In both cases the user is recorded against the IP address for future transactions.

[Additional Information]
Kerberos is more secure and has lower overheads than NTLM:
• NTLM requires an additional response round-trip between Sophos Firewall and the browser
• NTLM requires a lookup between Sophos Firewall and the challenge/domain controller for every
authentication event

To avoid clients seeing a popup for authentication we would recommend configuring Sophos
Firewall as an explicit proxy in the browser using the internal hostname of the firewall that is in the
domain. The default proxy port is 3128, but this can be changed in PROTECT > Web > General
settings.

Getting Started with Sophos Firewall Authentication - 17

 Web Authentication

Browser can now respond Enable AD SSO on the Device

with Kerberos or NTLM Access page

To use Active Directory SSO (NTLM and Kerberos) it must be enabled per-zone on the Device
Access page. With this option enabled, if you have an authentication server configured, AD SSO will
be tried before the captive portal is displayed.

The Web authentication tab combines the AD SSO configuration and captive portal behaviour
appearance settings. The page is laid out to follow the authentication flow:
• Try to authenticate the user using NTLM and/or Kerberos.
• If authentication fails then display the captive portal with this configuration.

Getting Started with Sophos Firewall Authentication - 18

 Web Authentication

Will try NTLM and Kerberos as per the web

authentication configuration and fall back to
the captive portal

In the firewall rules, the option to ‘Use web authentication for unknown users’ will try to
authenticate the user using NTLM or Kerberos based on the configuration you have selected, and
then fall back to using the captive portal.

Getting Started with Sophos Firewall Authentication - 19

 Captive Portal
Captive portal appearance

Port 8090 used for

Captive portal

The Captive portal is a browser interface that requires users behind the firewall to authenticate
when attempting to access a website. After authenticating, the user proceeds to the address or the
firewall redirects the user to a specified URL. This shows the default appearance of the Captive
portal, using port 8090.

With the current configuration, once the user has logged in, another browser tab will open. Closing
the page showing the successful login will cause the user to be signed out.

Getting Started with Sophos Firewall Authentication - 20

 Captive Portal Behavior

The behavior of captive portal can be customized. For example, changing when a user is signed
out.

While there is an option to never sign-out a user logged in through the captive portal, this is not
recommended.

Getting Started with Sophos Firewall Authentication - 21

 Captive Portal Appearance

As shown, it is also possible to customize the appearance and contents of the captive portal. For
example, you can change the logo and custom button text.

The new appearance can be previewed before the changes are applied.

Getting Started with Sophos Firewall Authentication - 22

 Per Connection Authentication

Add multi-user servers

Sophos Firewall can authenticate multiple different users coming from the same source IP address
when their proxy settings configured to use the Sophos Firewall as an explicit proxy. This is ideal for
terminal servers, Windows remote desktop, or direct access systems.

To use the multi-host client, you need to:

• Add an Active Directory authentication server
• Enable AD SSO (NTLM and Kerberos web authentication) for the zone where the multi-user
server is located
• Create a firewall rule to allow the traffic to match traffic from the multi-user server
• And add your multi-user servers in Authentication > Web authentication

Sophos XG Firewall v19.0 EAP 1 - 23

 Authentication Demo

In this demo you will see how to

configure per connection
authentication for multiuser
servers.

PLAY DEMO CONTINUE

https://techvids.sophos.com/watch/nPQbf634vyUSqHYCd8SDS7

In this demo you will see how to configure per connection authentication for multiuser servers.

[Additional Information]

https://techvids.sophos.com/watch/nPQbf634vyUSqHYCd8SDS7

Getting Started with Sophos Firewall Authentication - 24

 Sophos Transparent Authentication Suite (STAS)
• Uses an agent installed onto domain controllers
• Requires one STAS installation serving each domain controller
• Provides SSO without a client on the endpoints
• Supports IPv4 only

Lucy Fox logs into the Sophos Firewall logs in Lucy Fox and maps traffic
domain from a computer from 10.1.1.1 to the user
with the IP address
10.1.1.1

The domain controller

writes the login details to STAS notifies the Sophos
the event log with ID 4768 Firewall of the login on port
6060

The Sophos Transparent Authentication Suite, or STAS, provides transparent SSO authentication for
users without requiring a client on the endpoint. It employs an agent on the Microsoft Active
Directory domain controller or a member server that monitors and stores authentication activity
and sends authentication information to Sophos Firewall. There must be an STAS installation
serving all domain controllers to ensure that all logon events can be monitored. It is important to
note that the STAS software only works with Microsoft Active Directory, and only works with IPv4.

Please note that the SSO Client cannot be used when STAS is enabled on the Sophos Firewall.

Let’s have a look at how STAS works.

The user Lucy Fox logs into the domain on a computer that has the IP address 10.1.1.1.

The domain controller writes the login details to the security event log with ID 4768. This includes
the IP address of the computer and the name of the user that logged in.

STAS monitors the event logs for login events. When a login event is detected, the STAS records the
details. As STAS is monitoring the event logs, you need to ensure that successful logon events are
being audited in the Local Security Policy.

STAS notifies Sophos Firewall of the login and supplies the details recorded from the event log, this
is done on port 6060.

Sophos Firewall updates the live users, mapping the traffic from 10.1.1.1 to the user Lucy Fox.

Getting Started with Sophos Firewall Authentication - 25

 Additional information in
Installing the STAS Software the notes

• Download from the WebAdmin

• CONFIGURE > Authentication > Client downloads
• One installation per domain controller
• Either on domain controller or member server

Select Components Provide a user for the service

To get started with STAS, download the software from the WebAdmin at CONFIGURE >
Authentication > Client downloads and install it on all Active Directory domain controllers, or a
member server for each domain controller.

During the installation you can choose to install just the Collector or Agent component of STAS or
both. There may be benefits to installing individual components in larger and more complex
environments.

STAS also needs to be configured with a user that will be used to run the service. The user must
have the right to logon as a service and must be able to monitor the Security event log.

[Additional Information]

The service account should be added to the Backup Operators and Event Log Readers Groups in
AD, and the local Administrators groups on endpoints (this can be done via a group policy and is
required for WMI logoff detection to work). The account should also be granted ‘Logon as a
service’ permission on the domain controller, and full NTFS permission on the STAS folder.

Getting Started with Sophos Firewall Authentication - 26

 Configure the STAS Software

Required if
installed on a
member server

Once installed, the STAS software needs to be configured.

On the ‘General’ tab, configure the domain that STAS will be monitoring login events for.

On the ‘STA Agent’ tab, configure the networks for which logon events will be monitored. Here you
can see we are monitoring logon events for the 172.16.16.0/24 network. If a user logs in from
another network, 10.1.1.0/24 for example, this login will not be forwarded to the Sophos Firewall.

If STAS is being installed on a member server instead of a domain controller you need to specify
the IP address of the domain controller here.

Getting Started with Sophos Firewall Authentication - 27

 Configure the STAS Software

The IP address(es) of the

Sophos Firewall(s) to send
the login information to

Polling for the currently

logged on user can be
Optionally detect when done using WMI or
user's logoff via polling or registry read access
PING

The IP address of the Sophos Firewall needs to be added to the ‘Sophos Appliances’ section of
STAS.

Workstation polling can be configured to use either WMI (this is the default option) or registry read
access. This is used to determine the currently logged on user when a computer is not found in the
live users table.

STAS can also be configured to detect when user’s logoff. This can be done using the same method
as workstation polling (which is the default option) or PING.

Getting Started with Sophos Firewall Authentication - 28

 STAS is configured in:
Configure STAS on Sophos Firewall CONFIGURE > Authentication > STAS

Once the STAS software is installed and configured STAS needs to be enabled on the Sophos
Firewall, which is done in CONFIGURE > Authentication > STAS.

You can configure how long Sophos Firewall will try to probe for the identity, and whether access
should be limited while it tries to confirm the user’s identity.

You can also optionally enable and configure user inactivity handling, by setting the inactivity timer
and data transfer threshold.

Getting Started with Sophos Firewall Authentication - 29

 Configure STAS on Sophos Firewall

For every server you installed STAS on, you must add the IP address as a collector on the Sophos
Firewall.

If you are installing the full STA suite for each domain controller, you should put each collector in its
own group. Using collector groups is beyond the scope of this chapter.

Getting Started with Sophos Firewall Authentication - 30

 Simulation: Configure Single Sign-On Using STAS on Sophos
Firewall

In this simulation you will configure

single sign-on using the Sophos
Transparent Authentication Suite
(STAS) on Sophos Firewall. You will
then test your configuration.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/STAS/1/start.html

In this simulation you will configure single sign-on using the Sophos Transparent Authentication
Suite on Sophos Firewall. You will then test your configuration.

[Additional Information]

https://training.sophos.com/fw/simulation/STAS/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 31

 Authentication Agent
Agent and
The user sets
certificate need
their credentials
to be installed

The agent
authenticates
the user

Another method for authenticating with the Sophos Firewall is to use an agent on each endpoint.

You can download agents for Windows, Mac and Linux, and then need to install the agent and
certificate on the computer.

The user sets the credentials for authentication, and then the agent will authenticate with the
Sophos Firewall. The agent also shares the MAC address telemetry with the Sophos Firewall, which
allows MAC address restrictions to be used.

Getting Started with Sophos Firewall Authentication - 32

 Chromebook Single Sign-On (SSO)
1. Deploy Extension 2. Active Directory Server 3. Chromebook Authentication

The Chrome extension needs to be Sophos Firewall needs to be The Chromebook extension shares the
pushed to devices from Google G configured with an Active Directory user ID with Sophos Firewall
Suite server that is synchronized with G
Suite, and Chromebook SSO enabled

Sophos Firewall

Google G Suite

Active Directory Server Chromebook Devices

Chromebooks are increasingly popular in education and some corporate environments, but they
create a unique set of challenges for user identification with network firewalls.

Sophos Firewall provides a Chromebook extension that shares Chromebook user IDs with the
firewall to enable full user-based policy enforcement and reporting. Pre-requisites include an on-
premise Active Directory Server synced to Google G Suite. The Chrome extension is pushed from
the G Suite admin console providing easy and seamless deployment that is transparent to users.

Getting Started with Sophos Firewall Authentication - 33

 Chromebook SSO is configured in:
Chromebook Single Sign-On (SSO) CONFIGURE > Authentication > Services

The domain name as registered with G

Suite

The port number Chromebooks

connect to from the LAN or Wi-Fi

The certificate used for communication

with the Chromebooks.
The certificate CN must match the
zone/network where the Chromebook
users are, for example:
xg.sophostraining.xyz.

Chromebook SSO must be enabled in CONFIGURE > Authentication > Services. To do this it is
necessary to provide your domain that is registered with G Suite, and the certificate used to
communicate with the Chromebooks. The common name must match the network where the
Chromebook users are.

A couple of things to remember:

• You will need to enable the Chromebook SSO service in device access for the zones where the
devices are located.
• You will also need to create a firewall rule that allows the Chromebooks to access the Google
API and Chrome Web Store.

Getting Started with Sophos Firewall Authentication - 34

 Additional information in
G Suite Configuration the notes

Navigate to App Management

Search for and open Sophos Chromebook User ID

Upload the configuration (sample in the notes)

Only
required Navigate to Device Management > Networks
where the
Sophos
Firewall uses Upload the CA certificate from the Sophos Firewall
a self-signed (select Use this certificate as an HTTPS certificate authority)
certificate

To configure the Chromebook app in G Suite, you need to navigate to App Management, and then
search for and open the Sophos Chromebook User ID app.

Here you will need to upload the configuration as a JSON file that includes server address, port and
log settings.

If the Sophos Firewall is using a self-signed certificate, you will also need to upload the CA
certificate in Device Management > Networks, selecting the option, Use this certificate as an
HTTPS certificate authority.

[Additional Information]

Example JSON configuration of G Suite configuration

Note: the uppercase Value is important, otherwise it won't work.
{
"serverAddress": {
"Value": "10.8.19.132"
},
"serverPort": {
"Value": 65123
},
"logLevel": {
"Value": 2
},
"logoutOnLockscreen": {
"Value": true

Getting Started with Sophos Firewall Authentication - 35

},
"logoutOnIdle": {
"Value": true
},
"idleInterval": {
"Value": 900
}
{

Getting Started with Sophos Firewall Authentication - 35

 Simulation: Configuring User Policies

In this simulation you will configure

firewall rules to match based on
user identity on Sophos Firewall.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/UserPolicies/1/start.html

In this simulation you will configure firewall rules to match based on user identity on Sophos
Firewall.

[Additional Information]

https://training.sophos.com/fw/simulation/UserPolicies/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 36

 Chapter Review

Sophos Firewall has three types of user. Clientless users are identified by their IP
address. Guest users are given temporary network access. Standard users authenticate
locally or using an external server such as Active Directory

Synchronized User Identity provides transparent user authentication by sharing the

user’s identity through the Security Heartbeat connection.

Authentication agents for Windows, Mac and Linux can be installed locally on the
computer. The Sophos Transparent Authentication Suite provides transparent SSO using
an agent on the Microsoft Active Directory domain controller

Here are the three main things you learned in this chapter.

Sophos Firewall has three types of user. Clientless users are identified by their IP address. Guest
users are given temporary network access. And standard users provide a username and password
to authenticate locally or using an external server such as Active Directory.

Synchronized User Identity provides transparent user authentication by sharing the user’s identity
through the Security Heartbeat connection. This is enabled by default for all Windows endpoints
that establish a Security Heartbeat with the firewall.

Authentication agents for Windows, Mac and Linux can be installed locally on the computer. The
Sophos Transparent Authentication Suite provides transparent SSO authentication for users
without requiring a client on the endpoint. It employs an agent on the Microsoft Active Directory
domain controller.

Getting Started with Sophos Firewall Authentication - 45

Getting Started with Sophos Firewall Authentication - 46