Copyright © 2024 Sophos Ltd

Getting Started with

Sophos Firewall
Authentication
Sophos Firewall
Version: 21.0v1

[Additional Information]

Sophos Firewall
FW3515: Getting Started with Sophos Firewall Authentication

November 2024
Version: 21.0v1

© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any
form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks
mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their
respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties,
conditions or representations (whether express or implied) as to its completeness or accuracy. This
document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The
Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with Sophos Firewall Authentication 1

Copyright © 2024 Sophos Ltd

Getting Started with Sophos Firewall Authentication

In this chapter you will learn the types of RECOMMENDED KNOWLEDGE AND EXPERIENCE
users and groups that can be configured for
✓ Authentication methods that are supported by
Sophos Firewall and the methods that can be
Sophos Firewall
used for authentication.

DURATION 35 minutes

In this chapter you will learn the types of users and groups that can be configured for Sophos Firewall
and the methods that can be used for authentication.

Getting Started with Sophos Firewall Authentication 2

Copyright © 2024 Sophos Ltd

Authentication Methods
Hotspot

Clientless Users

Single Sign-On (SSO)

PRECEDENCE
▪ Synchronized User Identity
▪ Sophos Transparent Authentication Suite (STAS)
▪ SSO Client
▪ VPN
▪ RADIUS
▪ Web Authentication (NTLM and Kerberos)

Authentication Agent

Captive Portal

Sophos Firewall supports five main methods for authenticating users, these are:
• Hotspot,
• Clientless Users,
• Single Sign-On (SSO),
• Authentication Agent,
• And Captive Portal.

This is the order in which authentication is checked for users. Throughout the rest of this chapter, we will
look at some of the most common forms of authentication in more detail.

Getting Started with Sophos Firewall Authentication 3

Copyright © 2024 Sophos Ltd

Activity
Put the authentication methods in order of precedence

Captive Portal 1

Authentication Agent 2

Hotspot 3

Clientless Users 4

Clientless Single Sign-On 5

Please complete this activity to check your knowledge.

Getting Started with Sophos Firewall Authentication 4

Copyright © 2024 Sophos Ltd

Hotspots

Hotspot type selection

A hotspot is a portal that controls network access to devices connecting to the network. Hotspots are
typically used to provide guest Internet access in public areas. When you add an interface to a hotspot,
all devices connecting through that interface must authenticate through the hotspot.

Hotspots support a full suite of protection features and authentication methods. You can redirect users
to a captive portal or sign-in page where users must accept terms of usage or authenticate themselves
using a generated password or voucher.

Getting Started with Sophos Firewall Authentication 6

Copyright © 2024 Sophos Ltd

Types of User

Clientless Users ▪ Authenticated by IP address

▪ Locally authenticated

▪ Temporary users authenticated with a system generated username

Guest Users
and password
▪ Locally authenticated

Users ▪ Authenticate with a username and password

▪ Can be locally or externally authenticated

Sophos Firewall has three types of user.

Clientless users do not authenticate using a username and password, but instead are identified purely by
their IP address. Clientless users are always authenticated locally by the Sophos Firewall.

Guest users are given temporary network access, usually to access the Internet. They authenticate with a
username and password that are generated by the Sophos Firewall and are always authenticated locally.

Standard users authenticate with a username and password. They can be authenticated locally by the
Sophos Firewall or using an external authentication server such as Active Directory.

Getting Started with Sophos Firewall Authentication 7

Copyright © 2024 Sophos Ltd

Creating Clientless Users

Clientless users are managed in: CONFIGURE > Authentication > Clientless users

Typically, you would use clientless users to control network access for servers or devices such as printers
and VoIP phones.

Here you can see an example of two printers being added as a clientless users. You give the devices a
name, specify the IP address and select which group they will be a member of. You will use the group in
the firewall rules to then control the network access the devices have.

Clientless users can also be added in bulk by specifying a range of IP addresses and selecting the group
they will be a member of. You can edit the details for each IP address after adding them.

Getting Started with Sophos Firewall Authentication 8

Copyright © 2024 Sophos Ltd

Creating Guest Users

Guest users are managed in: CONFIGURE > Authentication > Guest users

You can create guest users either individually, shown on the left, or in bulk, shown on the right.

There are two main options when creating guest users:

1. How long the credentials will be valid for.
2. And whether the time will start as soon as the user is added or when the user first logs in.

Using the Print option, you can print the credentials for multiple selected users. This is useful if someone
will be providing these to visitors when they ask for access to the guest Wi-Fi, for example.

Getting Started with Sophos Firewall Authentication 9

Copyright © 2024 Sophos Ltd

Creating Guest Users

All guest users are created with the same settings that can be managed in CONFIGURE > Authentication
> Guest user settings.

Here you can set the group that the user will be added to and the password complexity.

Optionally you can also integrate Sophos Firewall with an SMS gateway to allow guest users to register
for their own access details. This can save significant time where there are large volumes of guest users
such as in hotels and airports.

Getting Started with Sophos Firewall Authentication 10

Copyright © 2024 Sophos Ltd

Creating Local Users

Local users are managed in: CONFIGURE > Authentication > users

Administration Profiles

Select policies to attach to the

user

Local users can also be added to Sophos Firewall. The user types are:

• User: End users who are connecting to the internet from behind the firewall.
• Administrator: Users who have access to firewall objects and settings as defined in an administration
profile.

Policies can also be assigned, such as for internet access and VPN. Those specified at the user level take
precedence over those specified at the group level.

Getting Started with Sophos Firewall Authentication 11

Copyright © 2024 Sophos Ltd

Synchronized User Identity

Sophos Firewall gets user ID from endpoints
that are on an Active Directory domain
automatically

Sophos Firewall
Sophos
Security Heartbeat
Endpoints
Internet

Active Directory Server

Synchronized User Identity leverages the presence of Sophos on the Windows endpoints to provide
transparent user authentication with the firewall by sharing the user’s identity through the Security
Heartbeat connection. This makes authentication seamless, without having to deploy additional agents
onto domain controllers.

Synchronized User Identity is enabled by default for all Windows endpoints that establish a Security
Heartbeat with the Sophos Firewall.

Getting Started with Sophos Firewall Authentication 12

Copyright © 2024 Sophos Ltd

Synchronized User Identity

1 Add an Active Directory authentication server on Sophos Firewall

2 Import groups from Active Directory into the Sophos Firewall

3 Enable Active Directory server in Firewall authentication methods

4 Computers with a Security Heartbeat will synchronize the user details

For Synchronized User Identity to work, you will need to have added an Active Directory authentication
server on the Sophos Firewall and imported the groups using the wizard.

The Active Directory authentication server must be enabled as an authentication source for the firewall
in CONFIGURE > Authentication > Services.

With this done, all Windows endpoints with a heartbeat to the Sophos Firewall will be authenticated
transparently.

Getting Started with Sophos Firewall Authentication 13

Copyright © 2024 Sophos Ltd

Disabling Synchronized User Identity – add link

Sophos Firewall
===============
(C) Copyright 2000-2020 Sophos Limited and others. All rights reserved.
Sophos is a registered trademark of Sophos Limited and Sophos Group.
All other product and company names mentioned are trademarks or registered
trademarks of their respective owners.

For End User License Agreement - http://www.sophos.com/en-us/legal/sophos-end-

user-license-agreement.aspx

NOTE: If not explicitly approved by Sophos support, any modifications

done through this option will void your support.

XG135_XN02_SFOS 18.0.0# touch /content/no_userid

XG135_XN02_SFOS 18.0.0# service access_server:restart -ds nosync
200 OK
XG135_XN02_SFOS 18.0.0#

Synchronized User Identity will work by default if the prerequisites are satisfied; however, if you want to
disable it this can be done via the console by creating the file /content/no_userid.

Removing this file will re-enable Synchronized User ID again, however, you do need to restart the
authentication service for this change to take effect.

Getting Started with Sophos Firewall Authentication 14

Copyright © 2024 Sophos Ltd

Groups
Groups are managed in: CONFIGURE > Authentication > Groups

Now that we’ve looked at the different types of users, we’ll look at groups. There are two types of
groups: normal and clientless, named for their respective user types.

A group is a collection of users with common policies and can be used to assign access to resources. The
user will automatically inherit all the policies added to the group.

Examples of policies that can be applied to groups include:

• Surfing Quota,
• Access Time,
• Network Traffic,
• and Traffic Shaping.
These are configured in SYSTEM > Profiles.

By default, users will inherit their assigned group’s policies. To adjust a group’s assigned policies, select a
policy from the list of available policies while editing or creating a new group. You can also create a new
policy directly from the group page.

Getting Started with Sophos Firewall Authentication 15

Copyright © 2024 Sophos Ltd

Group Import from Active Directory

When using Active Directory as an authentication server, users will be created on Sophos Firewall and
assigned to a group when they first successfully login. To use Active Directory groups, use the import
wizard, and users will be assigned to their associated Active Directory group.

Please note that Sophos Firewall groups cannot be nested, and if a user is a member of multiple groups,
the first one they match on Sophos Firewall will be their primary group.

Getting Started with Sophos Firewall Authentication 16

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Web Authentication

Unknown user tries to visit a webpage

Transparent web filtering

Redirect to URL served by Sophos Firewall and

send an HTTP_AUTH challenge so the browser User is recorded
responds with the user credentials against the IP
address for future
Direct proxy mode transactions

Respond with a PROXY_AUTH challenge so the

browser responds with the user credentials

If user authentication is only required for web filtering, Sophos Firewall can use a proxy challenge to
authenticate Active Directory users with NTLM or Kerberos.

Let’s start by looking at what happens when an unknown user tries to visit a web page. There are two
scenarios:
1. For transparent web filtering Sophos Firewall will redirect to a URL served by the firewall and send a
HTTP_AUTH challenge so that the browser responds with the credentials.
2. In the case of direct proxy mode, Sophos Firewall can respond with a PROXY_AUTH challenge so that
the browser responds with the user credentials.

In both cases the user is recorded against the IP address for future transactions.

[Additional Information]
Kerberos is more secure and has lower overheads than NTLM:
NTLM requires an additional response round-trip between Sophos Firewall and the browser
NTLM requires a lookup between Sophos Firewall and the challenge/domain controller for every
authentication event

To avoid clients seeing a popup for authentication we would recommend configuring Sophos Firewall as
an explicit proxy in the browser using the internal hostname of the firewall that is in the domain. The
default proxy port is 3128, but this can be changed in PROTECT > Web > General settings.

Getting Started with Sophos Firewall Authentication 17

Copyright © 2024 Sophos Ltd

Web Authentication

Browser can now respond Enable AD SSO on the Device

with Kerberos or NTLM Access page

To use Active Directory SSO (NTLM and Kerberos) it must be enabled per-zone on the Device Access
page. With this option enabled, if you have an authentication server configured, AD SSO will be tried
before the captive portal is displayed.

The Web authentication tab combines the AD SSO configuration and captive portal behaviour
appearance settings. The page is laid out to follow the authentication flow:
• Try to authenticate the user using NTLM and/or Kerberos.
• If authentication fails, then display the captive portal with this configuration.

Getting Started with Sophos Firewall Authentication 18

Copyright © 2024 Sophos Ltd

Web Authentication

Will try NTLM and Kerberos as per the web

authentication configuration and fall back to
the captive portal

In the firewall rules, the option to ‘Use web authentication for unknown users’ will try to authenticate
the user using NTLM or Kerberos based on the configuration you have selected, and then fall back to
using the captive portal.

Getting Started with Sophos Firewall Authentication 19

Copyright © 2024 Sophos Ltd

Captive Portal
Captive portal appearance

Port 8090 used for Captive

portal

The Captive portal is a browser interface that requires users behind the firewall to authenticate when
attempting to access a website. After authenticating, the user proceeds to the address or the firewall
redirects the user to a specified URL. This shows the default appearance of the Captive portal, using port
8090.

With the current configuration, once the user has logged in, another browser tab will open. Closing the
page showing the successful login will cause the user to be signed out.

Getting Started with Sophos Firewall Authentication 20

Copyright © 2024 Sophos Ltd

Captive Portal Behavior

The behavior of captive portal can be customized. For example, changing when a user is signed out.

While there is an option to never sign-out a user logged in through the captive portal, this is not
recommended.

Getting Started with Sophos Firewall Authentication 21

Copyright © 2024 Sophos Ltd

Captive Portal Appearance

As shown, it is also possible to customize the appearance and contents of the captive portal. For
example, you can change the logo and custom button text.

The new appearance can be previewed before the changes are applied.

Getting Started with Sophos Firewall Authentication 22

Copyright © 2024 Sophos Ltd

Per Connection Authentication

Add multi-user servers

Sophos Firewall can authenticate multiple different users coming from the same source IP address when
their proxy settings configured to use the Sophos Firewall as an explicit proxy. This is ideal for terminal
servers, Windows remote desktop, or direct access systems.

To use the multi-host client, you need to:

• Add an Active Directory authentication server.
• Enable AD SSO (NTLM and Kerberos web authentication) for the zone where the multi-user server is
located.
• Create a firewall rule to allow the traffic to match traffic from the multi-user server.
• And add your multi-user servers in Authentication > Web authentication.

Getting Started with Sophos Firewall Authentication 23

Copyright © 2024 Sophos Ltd

Video Demo: Configuring Per Connection Authentication

In this video demonstration you will see how to configure

per connection authentication or multi-user servers.

LAUNCH DEMONSTRATION CONTINUE

https://techvids.sophos.com/watch/nPQbf634vyUSqHYCd8SDS7

Please watch this video demonstration.

Click Launch Demonstration to start. Once you have finished, click Continue.

[Additional Information]
https://techvids.sophos.com/watch/nPQbf634vyUSqHYCd8SDS7

Getting Started with Sophos Firewall Authentication 24

Copyright © 2024 Sophos Ltd

Sophos Transparent Authentication Suite (STAS)

▪ Uses an agent installed onto domain controllers
▪ Requires one STAS installation serving each domain controller
▪ Provides SSO without a client on the endpoints
▪ Supports IPv4 only

Lucy Fox logs into the Sophos Firewall logs in Lucy Fox and maps traffic
domain from a computer from 10.1.1.1 to the user
with the IP address
10.1.1.1

The domain controller

writes the login details to STAS notifies the Sophos
the event log with ID 4768 Firewall of the login on port
6060

The Sophos Transparent Authentication Suite, or STAS, provides transparent SSO authentication for users
without requiring a client on the endpoint. It employs an agent on the Microsoft Active Directory domain
controller or a member server that monitors and stores authentication activity and sends authentication
information to Sophos Firewall. There must be an STAS installation serving all domain controllers to
ensure that all logon events can be monitored. It is important to note that the STAS software only works
with Microsoft Active Directory, and only works with IPv4.

Please note that the SSO Client cannot be used when STAS is enabled on the Sophos Firewall.

Let’s have a look at how STAS works.

The user Lucy Fox logs into the domain on a computer that has the IP address 10.1.1.1.

The domain controller writes the login details to the security event log with ID 4768. This includes the IP
address of the computer and the name of the user that logged in.

STAS monitors the event logs for login events. When a login event is detected, the STAS records the
details. As STAS is monitoring the event logs, you need to ensure that successful logon events are being
audited in the Local Security Policy.

STAS notifies Sophos Firewall of the login and supplies the details recorded from the event log, this is
done on port 6060.

Sophos Firewall updates the live users, mapping the traffic from 10.1.1.1 to the user Lucy Fox.

Getting Started with Sophos Firewall Authentication 25

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Installing the STAS Software
▪ Download from the web admin console: CONFIGURE > Authentication > Client downloads
▪ Once installation per domain controller
▪ Installed on either a domain controller or a member server

Select Components Provide a user for the service

To get started with STAS, download the software from the web admin console at CONFIGURE >
Authentication > Client downloads and install it on all Active Directory domain controllers, or a member
server for each domain controller.

During the installation you can choose to install just the Collector or Agent component of STAS or both.
There may be benefits to installing individual components in larger and more complex environments.

STAS also needs to be configured with a user that will be used to run the service. The user must have the
right to logon as a service and must be able to monitor the Security event log.

[Additional Information]
The service account should be added to the Backup Operators and Event Log Readers Groups in AD, and
the local Administrators groups on endpoints (this can be done via a group policy and is required for
WMI logoff detection to work). The account should also be granted ‘Logon as a service’ permission on
the domain controller, and full NTFS permission on the STAS folder.

Getting Started with Sophos Firewall Authentication 26

Copyright © 2024 Sophos Ltd

Configure the STAS Software

Required if
installed on a
member server

Once installed, the STAS software needs to be configured.

On the ‘General’ tab, configure the domain that STAS will be monitoring login events for.

On the ‘STA Agent’ tab, configure the networks for which logon events will be monitored. Here you can
see we are monitoring logon events for the 172.16.16.0/24 network. If a user logs in from another
network, 10.1.1.0/24 for example, this login will not be forwarded to the Sophos Firewall.

If STAS is being installed on a member server instead of a domain controller you need to specify the IP
address of the domain controller here.

Getting Started with Sophos Firewall Authentication 27

Copyright © 2024 Sophos Ltd

Configure the STAS Software

The IP address(es) of the

Sophos Firewall(s) to send
the login information to

Polling for the currently

logged on user can be done
using WMI or registry read
Optionally detect when user's
access
logoff via polling or PING

The IP address of the Sophos Firewall needs to be added to the ‘Sophos Appliances’ section of STAS.

Workstation polling can be configured to use either WMI (this is the default option) or registry read
access. This is used to determine the currently logged on user when a computer is not found in the live
users table.

STAS can also be configured to detect when user’s logoff. This can be done using the same method as
workstation polling (which is the default option) or PING.

Getting Started with Sophos Firewall Authentication 28

Copyright © 2024 Sophos Ltd

Configure STAS on Sophos Firewall

STAS is configured in: CONFIGURE > Authentication > STAS

Once the STAS software is installed and configured STAS needs to be enabled on the Sophos Firewall,
which is done in CONFIGURE > Authentication > STAS.

You can configure how long Sophos Firewall will try to probe for the identity, and whether access should
be limited while it tries to confirm the user’s identity.

You can also optionally enable and configure user inactivity handling, by setting the inactivity timer and
data transfer threshold.

Getting Started with Sophos Firewall Authentication 29

Copyright © 2024 Sophos Ltd

Configure STAS on Sophos Firewall

For every server you installed STAS on, you must add the IP address as a collector on the Sophos
Firewall.

If you are installing the full STA suite for each domain controller, you should put each collector in its own
group. Using collector groups is beyond the scope of this chapter.

Getting Started with Sophos Firewall Authentication 30

Copyright © 2024 Sophos Ltd

Simulation: Configure SSO Using STAS on Sophos Firewall

In this simulation you will configure single sign-on (SSO)

using the Sophos Transparent Authentication Suite (STAS).
You will then test your configuration.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/STAS/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/fw/simulation/STAS/2/start.html

Getting Started with Sophos Firewall Authentication 31

Copyright © 2024 Sophos Ltd

Authentication Agent

Agent and
The user sets their
certificate need to
credentials
be installed

The agent
authenticates the
user

Another method for authenticating with the Sophos Firewall is to use an agent on each endpoint.

You can download agents for Windows, Mac and Linux, and then need to install the agent and certificate
on the computer.

The user sets the credentials for authentication, and then the agent will authenticate with the Sophos
Firewall. The agent also shares the MAC address telemetry with the Sophos Firewall, which allows MAC
address restrictions to be used.

Getting Started with Sophos Firewall Authentication 32

Copyright © 2024 Sophos Ltd

Google Workspace Authentication

Google Workspace authentication integration via LDAP

In Google Admin,
configure an LDAP On Sophos On Sophos
On Sophos
client, download Firewall, configure Firewall, select
Firewall, upload
the client access an LDAP the LDAP
the client access
certificate, and authentication authentication
certificate
create access server server in services
credentials

Sophos Firewall supports Google Workspace authentication through an LDAP integration.

Configuring Google Workspace authentication can be broadly broken down into four stages.

First, in Google Admin, you need to configure an LDAP client, download the client access certificate, and
create access credentials for Sophos Firewall to use for the LDAP connection.

Then, on Sophos Firewall, start by uploading the client access certificate.

Next, create an LDAP authentication server that will connect to Google Workspace.

Finally, you need to select the LDAP authentication server in services.

Getting Started with Sophos Firewall Authentication 33

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Google Workspace Authentication

The first stage of configuring Google Workspace authentication with Sophos Firewall is to create an LDAP
client in Google Admin. This is done in Apps > LDAP.

When adding the LDAP client you need to configure the access permissions. You will need to enable all
three options: verify user credentials, read user information, and read group information. You can either
allow all users of your domain to have these permissions or limit it to members of selected organization
units only.

In the LDAP client you need to generate and download a client access certificate and generate new
access credentials. Note that the password for the access credentials can only be copied at the time they
are created, they cannot be accessed later, so ensure you save them somewhere secure.

For more detailed instructions on adding new LDAP clients, please see the Google document linked in
the student handout notes.

[Additional Information]
Add and connect new LDAP clients.
https://support.google.com/a/topic/9173976

Getting Started with Sophos Firewall Authentication 34

Copyright © 2024 Sophos Ltd

Google Workspace Authentication

Google uses self-signed

certificates so it will not be
trusted

With Google Workspace configured, you need to switch to Sophos Firewall.

Start by uploading the client access certificate you downloaded for Google Workspace. This is done in
SYSTEM > Certificates.

Note that Google uses self-signed certificates so it will not be trusted. This is expected and will not cause
a problem.

Getting Started with Sophos Firewall Authentication 35

Copyright © 2024 Sophos Ltd

Google Workspace Authentication

Google requires LDAP version 3

Use the credentials you created

in Google Admin

Deselect the option ‘Append

base DN’

Select the client access

certificate you uploaded

Next, create a new LDAP authentication server in CONFIGURE > Authentication.

When configuring the LDAP server for Google Workspace there are a few things to note:
• You will need to use version 3.
• Use the credentials you created for LDAP in Google Admin. Note that anonymous login is not
supported.
• You must deselect the option ‘Append base DN’ for the authentication to work.
• And select the client access certificate that you uploaded in the previous step.

Getting Started with Sophos Firewall Authentication 36

Copyright © 2024 Sophos Ltd

Google Workspace Authentication

The final step is to select the LDAP server in services to enable it as a firewall authentication method.
You can then test the configuration by logging into the user portal. Note that the user should only
provide their username and not include the domain.

Getting Started with Sophos Firewall Authentication 37

Copyright © 2024 Sophos Ltd

Chromebook Single Sign-On (SSO)

1. Deploy Extension 2. Authentication Server 3. Chromebook Authentication

The Chrome extension needs to be Either an LDAP server to Google The Chromebook extension shares the
pushed to devices from Google Workspace or an Active Directory user ID with Sophos Firewall
Workspace server that is synchronized with
Google Workspace

Google Workspace

Active Directory Server Chromebook Devices

Chromebooks are increasingly popular in education and some corporate environments, but they create a
unique set of challenges for user identification with network firewalls.

Sophos Firewall provides a Chromebook extension that shares Chromebook user IDs with the firewall to
enable full user-based policy enforcement and reporting. Pre-requisites include either an LDAP server to
Google Workspace or an Active Directory server that is synchronized with Google Workspace.

The Chrome extension is pushed from the Google Workspace admin console providing easy and
seamless deployment that is transparent to users.

[Additional Information]
Configure Chromebook single sign-on
https://docs.sophos.com/nsg/sophos-firewall/21.0/help/en-
us/webhelp/onlinehelp/AdministratorHelp/Authentication/HowToArticles/AuthenticationConfigureChro
mebookSSO/index.html

Getting Started with Sophos Firewall Authentication 38

Copyright © 2024 Sophos Ltd

Chromebook Single Sign-On (SSO)

Chromebook SSO is configured in: CONFIGURE > Authentication > Services

The domain name as The port number

registered with Google Chromebooks connect to from
Workspace the LAN or Wi-Fi

The certificate used for communication with the Chromebooks.

The certificate CN must match the zone/network where the Chromebook users are, for
example: xg.sophostraining.xyz.

Chromebook SSO must be enabled in CONFIGURE > Authentication > Services. To do this it is necessary
to provide your domain that is registered with Google Workspace, and the certificate used to
communicate with the Chromebooks. The common name must match the network where the
Chromebook users are.

A couple of things to remember:

• You will need to enable the Chromebook SSO service in device access for the zones where the devices
are located.
• You will also need to create a firewall rule that allows the Chromebooks to access the Google API and
Chrome Web Store.

Getting Started with Sophos Firewall Authentication 39

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Google Workspace Configuration

Navigate to Device > Chrome > Apps and extensions > Users and
browsers

Search for and open Sophos Chromebook User ID

Upload the configuration (sample in the notes)

Only
required Navigate to Device Management > Networks
where the
Sophos
Firewall uses Upload the CA certificate from the Sophos Firewall
a self-signed (select Use this certificate as an HTTPS certificate authority)
certificate

To configure the Chromebook app in Google Workspace, you need to navigate to Device > Chrome >
Apps and extensions > Users and browsers, and then search for and open the Sophos Chromebook
User ID app.

Here you will need to upload the configuration as a JSON file that includes server address, port and log
settings.

If the Sophos Firewall is using a self-signed certificate, you will also need to upload the CA certificate in
Device Management > Networks, selecting the option, Use this certificate as an HTTPS certificate
authority.

[Additional Information]
Example JSON configuration of Google Workspace configuration
Note: the uppercase Value is important, otherwise it won't work.
{
"serverAddress": {
"Value": "10.8.19.132"
},
"serverPort": {
"Value": 65123
},
"logLevel": {
"Value": 2
},
"logoutOnLockscreen": {
"Value": true

Getting Started with Sophos Firewall Authentication 40

 },
"logoutOnIdle": {
"Value": true
},
"idleInterval": {
"Value": 900
}
{

Getting Started with Sophos Firewall Authentication 40

Copyright © 2024 Sophos Ltd

Simulation: Configuring User Policies

In this simulation you will configure firewall rules to

match based on user identity on Sophos Firewall.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/UserPolicies/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/fw/simulation/UserPolicies/2/start.html

Getting Started with Sophos Firewall Authentication 41

Copyright © 2024 Sophos Ltd

Chapter Review

Sophos Firewall has three types of user. Clientless users are identified by their IP address. Guest users are
given temporary network access. Standard users provide a username and password to authenticate locally
or using an external server such as Active Directory.

Synchronized User Identity provides transparent user authentication by sharing the user’s identity
through the Security Heartbeat connection. This is enabled by default for all Windows endpoints that
establish a Security Heartbeat with the firewall.

Authentication agents for Windows, Mac, and Linux can be installed locally on the computer. The Sophos
Transparent Authentication Suite provides transparent SSO authentication for users without required a
client on the endpoint. It employs an agent on the Microsoft Active Directory domain controller.

Here are the three main things you learned in this chapter.

Sophos Firewall has three types of user. Clientless users are identified by their IP address. Guest users
are given temporary network access. Standard users provide a username and password to authenticate
locally or using an external server such as Active Directory.

Synchronized User Identity provides transparent user authentication by sharing the user’s identity
through the Security Heartbeat connection. This is enabled by default for all Windows endpoints that
establish a Security Heartbeat with the firewall.

Authentication agents for Windows, Mac and Linux can be installed locally on the computer. The Sophos
Transparent Authentication Suite provides transparent SSO authentication for users without requiring a
client on the endpoint. It employs an agent on the Microsoft Active Directory domain controller.

Getting Started with Sophos Firewall Authentication 51

Copyright © 2024 Sophos Ltd

Getting Started with Sophos Firewall Authentication 52