We have a new Proxy Server (Sophos) I am trying to set it up to link with Active Directory to pull the groups etc through
When I go to Active Directory settings there are 3 boxes for 'Active directory domain', 'username' and 'password'
I enter details for a domain admin account and even the main administror account I get this reply...
"
No NETLOGON share found
The appliance could not could not detect a NETLOGON share on your Active Directory Domain Controller. Check the Active Directory Domain Controller, update the required fields on the System: Active Directory page, and click Verify Settings again.
"
I can browse to our NetLogon folder as usual on the network.
Does anyone know what the problem might be?
Below is some info from the Sophos Help files
------------------------------------------------------------------------
Configuring Active Directory Access
Note: Not all features documented are available in every operating mode. For more information on what features are available in stand-alone and grouped environments, see Operating Mode Differences. On this page on a joined Web Appliance, the LDAP access and exemption options are not available as this functionality has been shifted to the Management Appliance. Also, some of the functionality changes on a joined Web Appliance, as is documented below.
--------------------------------------------------------------------------------
Important: Firewall Configuration: If you have a firewall between the appliance and your Active Directory server, you need to ensure that ports 88 and 389 are open for both TCP and UDP, and that ports 445 (raw SMB) and 139 (NetBIOS over TCP/IP) are open for TCP on that firewall in order to perform Active Directory authentication.
Recommendations for an Active Directory Forest: Sophos supports the integration of an Active Directory forest with the appliance only if the following conditions apply:
•Integrate with only a single Active Directory forest containing a single Active Directory tree.
•The Active Directory server to which you configure access must be the root domain controller of the Active Directory forest.
•The root domain of your Active Directory forest must have an explicit trust relationship with all subdomains within the forest. If this condition does not exist, users will be able to authenticate, but the appliance will not be able to synchronize Active Directory groups membership information, which will result in all affected users having only the default Web Appliance policy applied to them.
•The Active Directory administrator account that you use to access the Active Directory forest must have valid credentials on all subdomains for authenticating users and accessing LDAP information.
•In addition to the firewall configuration described above, you must ensure that port 3268 is open for both TCP and UDP between your appliance and your Active Directory server, that use of the global catalog is properly configured on your Active Directory server, and that TCP access from the appliance to your Active Directory server and bi-directional UDP traffic between the two is allowed. Also, port 389 must be open between the appliance and all domain controllers within the Active Directory forest.
Note: If you have an Active Directory forest, ensure that the domain controllers have the global catalog enabled, including on any backup domain controllers. If you do not, problems may occur when the appliance attempts to sync: your users may complain about authentication pop-ups that repeatedly fail, and the subdomain groups may disappear from the Configuration > Group Policy > Default Groups page. Although this situation may resolve itself automatically in certain circumstances, it will likely recur, so enabling the global catalog on all domain controllers, including those configured as backup domain controllers on your Active Directory server, is the only complete solution for this problem.
1.Beside User authentication via Active Directory, near the top of the page, click On.
The three Active Directory Settings text boxes in the left column are enabled.
Important: Your appliance cannot have the same hostname as any of the Active Directory servers, the root domain, nor any trusted subdomains.
--------------------------------------------------------------------------------
Note: On a joined Web Appliance, the On/Off button is not functional. It only shows the status as set on the Management Appliance. The Off option is always set if your Web Appliance is configured to operate in a bridged or transparent network deployment.
--------------------------------------------------------------------------------
2.Optionally, on a joined Web Appliance, you can change some of the Active Directory settings to access a different domain controller by selecting the Configure Active Directory settings locally check box.
--------------------------------------------------------------------------------
Note: This option is only available on a joined Web Appliance. This option is typically used to access a local Active Directory Domain Controller in a branch location instead of the main Domain Controller in the central office. The settings, if you select this option, are documented in the next two steps. Active Directory access from a joined Web Appliance is for authentication purposes only, LDAP synchronization is only from the Management Appliance.
--------------------------------------------------------------------------------
3.Fill in the Active Directory Settings information required to access the server:
◦Active Directory domain: Enter the domain name of your organization's Active Directory server.
◦Username: Enter the username to access the Active Directory server.
Important: To join the appliance to an Active Directory domain, you must use a pre-existing account on the Active Directory server with permissions to join a computer to the Active Directory domain and to authenticate users. Also, if you intend to access the global catalog of an Active Directory forest with a single Active Directory tree, the user account must have permissions to authenticate users in multiple subdomains. Be sure to use an Active Directory account with only the privileges that are required.
◦Password: Enter that user's password.
--------------------------------------------------------------------------------
Note: On a joined Web Appliance with the Configure Active Directory settings locally check box selected, only the Username and Password text boxes are functional, allowing you to set a different Active Directory account for accessing Active Directory authentication. LDAP user data is not synchronized on a joined Web Appliance; this data is synchronized on the Management Appliance only and downloaded to the joined Web Appliances.
--------------------------------------------------------------------------------
4.Fill in the Active Directory settings by doing one of the following:
◦Ensure that the Auto-detect advanced settings check box is selected.
◦Ensure that the Auto-detect advanced settings check box is not selected and fill in the remaining text boxes. The six additional text boxes are:
■Active Directory Domain Controller: The fully qualified domain name (FQDN) of the desired Active Directory Domain Controller.
■Active Directory Kerberos server: The FQDN of the desired Kerberos server. If uncertain, use the same hostname as the Domain Controller. Should be a fully qualified domain name.
■Active Directory LDAP server: The FQDN of the desired LDAP server, with the port number. If uncertain, use the same hostname as the Domain Controller, with the port number. The port number for a single Active Directory server is usually 389; for an Active Directory server designated as a global catalog server, it is 3268.
If you enter an incorrect FQDN, the appliance will attempt to auto-detect the FQDN.
Note: If you cannot successfully connect to your Active Directory forest, disable Auto-detect advanced settings and manually change the port number for the Active Directory LDAP server to 389 to force the appliance to access the AD server as a single domain.
■LDAP authentication DN (optional): The LDAP "Distinguished Name" that corresponds to the Username text box. If left blank, the appliance will attempt to discover the correct DN. If you are uncertain, leave this blank.
■LDAP base DN (optional): The LDAP "folder" under which users can be found. Defaults to the whole domain. If you are uncertain, leave this blank.
■LDAP account attribute (optional): The LDAP object attribute that contains the "login name" of a user. Defaults to 'sAMAccountName', which is the only correct value for Active Directory LDAP servers. If you are uncertain, leave this blank.
--------------------------------------------------------------------------------
Note: On a joined Web Appliance with the Configure Active Directory settings locally check box selected and the Auto-detect advanced settings check box cleared, only the Active Directory Domain Controller and Active Directory Kerberos server text boxes are functional, allowing you to select a different Active Directory server. The server that you select must not be a child domain of the Active Directory domain, although it can be a secondary Domain Controller.
--------------------------------------------------------------------------------
5.Click Verify Settings.
If you chose the Auto-detect advanced settings option, the remaining fields of the Active Directory settings are automatically filled. The appliance will first look for an Active Directory global catalog at port 3268, if it can't find that, it defaults to a single-domain Active Directory configuration using port 389.
Whether or not you used the Auto-detect advanced settings option, the Detect Settings dialog box is displayed, showing the results of the connection attempt. Successful operations are indicated with a green check mark icon, failed operations are indicated with a red "x" icon. The Detecting subdomains step can also show an orange exclamation mark, which indicates that one or more trusted (child) domains could not be synchronized. To the right of the Detecting subdomains verification item is a Show details button, which you can click to view the results of attempts to connect to the subdomains of your Active Directory forest. The subdomains are listed in one of two groupings: Authentication Successful or Authentication Failed.
If there are failed operations in the Detect Settings process, a trouble-shooting message will appear below the list of verification checks. This message links to explanatory text that will assist you in correcting the problem. If you encounter failed operations, read the trouble-shooting message, then Close the Detect Settings dialog box, correct the Active Directory Settings in the left column, and click Verify Settings again.
When all of the Verify Settings operations are successful, all of the required Active Directory text boxes are filled.
Important: If the verification of a connection to an Active Directory subdomain fails because that server is down at the time that you run the verification, bringing the server back up will not enable Active Directory synchronization with the appliance. You must have a successful Verify Settings operation for any connection to a subdomain server to enable communications between it and the appliance.
--------------------------------------------------------------------------------
Note: On a joined Web Appliance, the Detecting subdomains and Testing LDAP checks are disabled, as these are not relevant.
--------------------------------------------------------------------------------
6.Click Apply.
7.Optionally, click Synchronize Now to have the appliance immediately synchronize user and group information with the configured Active Directory server. This can only be done after steps 4 and 5 have been completed successfully.
--------------------------------------------------------------------------------
Note: This option is not available on a joined Web Appliance. Active Directory access from a joined Web Appliance is for authentication purposes only, LDAP synchronization is only from the Management Appliance.
--------------------------------------------------------------------------------
Parent topic: Active Directory
Related tasks
Setting Active Directory Exemptions
When I go to Active Directory settings there are 3 boxes for 'Active directory domain', 'username' and 'password'
I enter details for a domain admin account and even the main administror account I get this reply...
"
No NETLOGON share found
The appliance could not could not detect a NETLOGON share on your Active Directory Domain Controller. Check the Active Directory Domain Controller, update the required fields on the System: Active Directory page, and click Verify Settings again.
"
I can browse to our NetLogon folder as usual on the network.
Does anyone know what the problem might be?
Below is some info from the Sophos Help files
------------------------------------------------------------------------
Configuring Active Directory Access
Note: Not all features documented are available in every operating mode. For more information on what features are available in stand-alone and grouped environments, see Operating Mode Differences. On this page on a joined Web Appliance, the LDAP access and exemption options are not available as this functionality has been shifted to the Management Appliance. Also, some of the functionality changes on a joined Web Appliance, as is documented below.
--------------------------------------------------------------------------------
Important: Firewall Configuration: If you have a firewall between the appliance and your Active Directory server, you need to ensure that ports 88 and 389 are open for both TCP and UDP, and that ports 445 (raw SMB) and 139 (NetBIOS over TCP/IP) are open for TCP on that firewall in order to perform Active Directory authentication.
Recommendations for an Active Directory Forest: Sophos supports the integration of an Active Directory forest with the appliance only if the following conditions apply:
•Integrate with only a single Active Directory forest containing a single Active Directory tree.
•The Active Directory server to which you configure access must be the root domain controller of the Active Directory forest.
•The root domain of your Active Directory forest must have an explicit trust relationship with all subdomains within the forest. If this condition does not exist, users will be able to authenticate, but the appliance will not be able to synchronize Active Directory groups membership information, which will result in all affected users having only the default Web Appliance policy applied to them.
•The Active Directory administrator account that you use to access the Active Directory forest must have valid credentials on all subdomains for authenticating users and accessing LDAP information.
•In addition to the firewall configuration described above, you must ensure that port 3268 is open for both TCP and UDP between your appliance and your Active Directory server, that use of the global catalog is properly configured on your Active Directory server, and that TCP access from the appliance to your Active Directory server and bi-directional UDP traffic between the two is allowed. Also, port 389 must be open between the appliance and all domain controllers within the Active Directory forest.
Note: If you have an Active Directory forest, ensure that the domain controllers have the global catalog enabled, including on any backup domain controllers. If you do not, problems may occur when the appliance attempts to sync: your users may complain about authentication pop-ups that repeatedly fail, and the subdomain groups may disappear from the Configuration > Group Policy > Default Groups page. Although this situation may resolve itself automatically in certain circumstances, it will likely recur, so enabling the global catalog on all domain controllers, including those configured as backup domain controllers on your Active Directory server, is the only complete solution for this problem.
1.Beside User authentication via Active Directory, near the top of the page, click On.
The three Active Directory Settings text boxes in the left column are enabled.
Important: Your appliance cannot have the same hostname as any of the Active Directory servers, the root domain, nor any trusted subdomains.
--------------------------------------------------------------------------------
Note: On a joined Web Appliance, the On/Off button is not functional. It only shows the status as set on the Management Appliance. The Off option is always set if your Web Appliance is configured to operate in a bridged or transparent network deployment.
--------------------------------------------------------------------------------
2.Optionally, on a joined Web Appliance, you can change some of the Active Directory settings to access a different domain controller by selecting the Configure Active Directory settings locally check box.
--------------------------------------------------------------------------------
Note: This option is only available on a joined Web Appliance. This option is typically used to access a local Active Directory Domain Controller in a branch location instead of the main Domain Controller in the central office. The settings, if you select this option, are documented in the next two steps. Active Directory access from a joined Web Appliance is for authentication purposes only, LDAP synchronization is only from the Management Appliance.
--------------------------------------------------------------------------------
3.Fill in the Active Directory Settings information required to access the server:
◦Active Directory domain: Enter the domain name of your organization's Active Directory server.
◦Username: Enter the username to access the Active Directory server.
Important: To join the appliance to an Active Directory domain, you must use a pre-existing account on the Active Directory server with permissions to join a computer to the Active Directory domain and to authenticate users. Also, if you intend to access the global catalog of an Active Directory forest with a single Active Directory tree, the user account must have permissions to authenticate users in multiple subdomains. Be sure to use an Active Directory account with only the privileges that are required.
◦Password: Enter that user's password.
--------------------------------------------------------------------------------
Note: On a joined Web Appliance with the Configure Active Directory settings locally check box selected, only the Username and Password text boxes are functional, allowing you to set a different Active Directory account for accessing Active Directory authentication. LDAP user data is not synchronized on a joined Web Appliance; this data is synchronized on the Management Appliance only and downloaded to the joined Web Appliances.
--------------------------------------------------------------------------------
4.Fill in the Active Directory settings by doing one of the following:
◦Ensure that the Auto-detect advanced settings check box is selected.
◦Ensure that the Auto-detect advanced settings check box is not selected and fill in the remaining text boxes. The six additional text boxes are:
■Active Directory Domain Controller: The fully qualified domain name (FQDN) of the desired Active Directory Domain Controller.
■Active Directory Kerberos server: The FQDN of the desired Kerberos server. If uncertain, use the same hostname as the Domain Controller. Should be a fully qualified domain name.
■Active Directory LDAP server: The FQDN of the desired LDAP server, with the port number. If uncertain, use the same hostname as the Domain Controller, with the port number. The port number for a single Active Directory server is usually 389; for an Active Directory server designated as a global catalog server, it is 3268.
If you enter an incorrect FQDN, the appliance will attempt to auto-detect the FQDN.
Note: If you cannot successfully connect to your Active Directory forest, disable Auto-detect advanced settings and manually change the port number for the Active Directory LDAP server to 389 to force the appliance to access the AD server as a single domain.
■LDAP authentication DN (optional): The LDAP "Distinguished Name" that corresponds to the Username text box. If left blank, the appliance will attempt to discover the correct DN. If you are uncertain, leave this blank.
■LDAP base DN (optional): The LDAP "folder" under which users can be found. Defaults to the whole domain. If you are uncertain, leave this blank.
■LDAP account attribute (optional): The LDAP object attribute that contains the "login name" of a user. Defaults to 'sAMAccountName', which is the only correct value for Active Directory LDAP servers. If you are uncertain, leave this blank.
--------------------------------------------------------------------------------
Note: On a joined Web Appliance with the Configure Active Directory settings locally check box selected and the Auto-detect advanced settings check box cleared, only the Active Directory Domain Controller and Active Directory Kerberos server text boxes are functional, allowing you to select a different Active Directory server. The server that you select must not be a child domain of the Active Directory domain, although it can be a secondary Domain Controller.
--------------------------------------------------------------------------------
5.Click Verify Settings.
If you chose the Auto-detect advanced settings option, the remaining fields of the Active Directory settings are automatically filled. The appliance will first look for an Active Directory global catalog at port 3268, if it can't find that, it defaults to a single-domain Active Directory configuration using port 389.
Whether or not you used the Auto-detect advanced settings option, the Detect Settings dialog box is displayed, showing the results of the connection attempt. Successful operations are indicated with a green check mark icon, failed operations are indicated with a red "x" icon. The Detecting subdomains step can also show an orange exclamation mark, which indicates that one or more trusted (child) domains could not be synchronized. To the right of the Detecting subdomains verification item is a Show details button, which you can click to view the results of attempts to connect to the subdomains of your Active Directory forest. The subdomains are listed in one of two groupings: Authentication Successful or Authentication Failed.
If there are failed operations in the Detect Settings process, a trouble-shooting message will appear below the list of verification checks. This message links to explanatory text that will assist you in correcting the problem. If you encounter failed operations, read the trouble-shooting message, then Close the Detect Settings dialog box, correct the Active Directory Settings in the left column, and click Verify Settings again.
When all of the Verify Settings operations are successful, all of the required Active Directory text boxes are filled.
Important: If the verification of a connection to an Active Directory subdomain fails because that server is down at the time that you run the verification, bringing the server back up will not enable Active Directory synchronization with the appliance. You must have a successful Verify Settings operation for any connection to a subdomain server to enable communications between it and the appliance.
--------------------------------------------------------------------------------
Note: On a joined Web Appliance, the Detecting subdomains and Testing LDAP checks are disabled, as these are not relevant.
--------------------------------------------------------------------------------
6.Click Apply.
7.Optionally, click Synchronize Now to have the appliance immediately synchronize user and group information with the configured Active Directory server. This can only be done after steps 4 and 5 have been completed successfully.
--------------------------------------------------------------------------------
Note: This option is not available on a joined Web Appliance. Active Directory access from a joined Web Appliance is for authentication purposes only, LDAP synchronization is only from the Management Appliance.
--------------------------------------------------------------------------------
Parent topic: Active Directory
Related tasks
Setting Active Directory Exemptions
