Sophos XG - LDAP integration

This documentation is designed for IT administrators within a security context. The goal is to configure Multi-Factor Authentication (MFA) using the inWebo LDAP Proxy integration for Sophos XG hardware. This ensures enhanced security for your organization’s network access.

Prerequisites

• Sophos XG hardware

• inWebo LDAP Proxy

• Service account authorized to request the LDAP server

• inWebo account

Note: The following configuration and screenshots are based on Sophos XG.
Hardware version: XG 135
Software version: SFOS 19.5.3 MR-3-Build652.

1. Install inWebo LDAP Proxy

To install inWebo LDAP Proxy, visit inWebo LDAP Proxy v1.6 and follow the installation steps provided.

2. Configure LDAP Authentication Server

1. Navigate to the Authentication Server Configuration:

   1. Go to Configure > Authentication > Servers tab.

   2. Click on + Add.

      

2. Fill in the parameters:

   • Server type: LDAP server

   • Server name: Connection Name

   • Server IP/Domain: IP of your inWebo LDAP Proxy Server

   • Version: LDAP Version (2 or 3)

     

   • Connection Security: Plaintext, SSL/TLS, or STARTTLS

     

   • Port: LDAP proxy port

   • Bind DN: Service account authorized to request LDAP server (Without MFA)
     Note: The “Bind DN” must not contain the path present in the “Base DN”.

   • Password: Password associated with the service account

   • Base DN: Entry point in your domain for performing user and group lookups

   • Authentication attribute: sAMAccountName

   • Display name attribute: DisplayName

   • Email address attribute: gidNumber

   • Expiry date attribute: Date

     

3. Click on Save.

4. Click on Test connection.
   If the test is successful, a pop-up window will appear.

   

3. Configure Authentication Services in Sophos XG

• Navigate to the Services Tab:

• Go to Configure > Authentication > Services tab.

• Configure Each Sophos XG Functionality:
  For each Sophos XG functionality (e.g., Firewall portal, VPN, Proxy), select the authentication server from the list on the left.
  Organize the authentication methods in the section on the right. Note that the order affects the priority.

  

  • Firewall 

    

  • User Portal

    

  • VPN SSL

    

4. Activate User Portal:

Make sure the User Portal is activated.

5. Test inWebo LDAP Proxy Authentication

Test with the User Portal

1. Login to the End-User Portal:

   1. Enter a LDAP user account that is also registered with inWebo.

   2. Enter the associated password.

   3. Click on Login. 

      

2. Authorize Connection from your Enrolled Token:

   1. Click on Authorize connection from your enrolled MFA token.

      

   2. Enter your PIN Code.

   3. Click on Accept to authenticate.

Test with the SOPHOS SSL VPN Client

1. Connect to the SSL VPN:

   • Use an inWebo user account.

   • Enter the password associated with this account.

   • Click on OK. 

     

2. Authorize Connection from Your Enrolled Mobile Phone:

   1. Click on Push notification received your enrolled mobile phone.

   2. Enter your PIN Code.

   3. Click on Accept to authenticate.

After successful authentication, a Windows pop-up informs you that you are connected to the Sophos VPN.

Example Configuration

Active Directory

• A whitelist group for the account ldap-user.

  

  

  

• A group for the accounts requiring MFA.

  

  

  

  

• AD tree view

  

Ldap Proxy

• Configuration properties for ldapproxy.

  • Ldap Proxy section

    

  • InWebo Section

    

    • A group for users requiring MFA (LdapProxy).

      

    • A group for whitelist users (ldap-Whitelist).

      

TrustBuilder – inWebo Configuration:

Make sure that TrustBuilder is correctly configured for synchronization with the LDAP proxy.

For more detailed information, please refer to the TrustBuilder MFA General Overview.