Integration with Active directory not working properly on my watchguard xtm25

I have configured a watchguard x25 which works great, however i want to block traffic using the active directory authentication, i've set this up but it doesn't work, the policy works fine but not when using active directory log ins, please help!
Daniel ForresterDirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris MillardCommented:
Have you installed the WatchGuard Single Sign On agent software on a domain controller?

The SSO Agent is a requirement for what you are trying to do.
Daniel ForresterDirectorAuthor Commented:
I've looked at this and i still cant get this working, is there anything i can troubleshoot?
Chris MillardCommented:
Well, let's backtrack. Do you have the SSO agent installed on a domain controller?

If yes, what is the name of the domain controller, and what settings have you enabled in the Watchguard for Active Directory?
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Daniel ForresterDirectorAuthor Commented:
Yes the SSO agent is installed, I'm using the following, see ps.
Daniel ForresterDirectorAuthor Commented:
Chris MillardCommented:
We leave the DN of searching user and the password of searching user blank - it shouldn't be required.

We have also enabled the single Sign On with Active Directory option under the authentication options too.
Daniel ForresterDirectorAuthor Commented:
I did have it setup like this, i've changed that back now, where is the single sign on option? To be honest i think ad is authenticating fine as I can see the user in the authentication list, when i create a policy that is supposed to block all traffic for the ad user it doesn't work, very frustrating.
Daniel ForresterDirectorAuthor Commented:
sorry yes ive already done the single sign on option.
Chris MillardCommented:
Ok. Under authentication->users and groups you need to add the ad user(s) or ad group(s) in there too - the Watchguard doesn't perform it's own lookups in ad. You have to manually type the user or group names, AND they MUST match the case as they appear in Active directory (i.e. In AD if the user is Joe Bloggs, he cannot be called joe bloggs in this list).
Daniel ForresterDirectorAuthor Commented:
Yes i've done all this.
Chris MillardCommented:
Right. I've just been into my XTM device. This is the complete list of what needs to be done:-

On your Active Directory controller (IP, install the WatchGuard SSO Agent and make sure that the firewall on that server is configured to allow LDAP traffic on port 389

On the XTM device:-

Setup->Authentication->Authentication Servers->Active Directory tab
Domain Name
IP Address / DNS Names of DCs / 389
Search base
Group String
Login Attribute
Don't enter a username or password

Setup->Authentication->Authentication Settings->Single Sign-On tab
Enable Single Sign-On (SSO) with Active Directory
SSO Agent IP address

Setup->Authentication->Authorized Users/Groups
Click Add
Define New Authorized User or Group
Name - this should be the display name of the Active Directory user or group and is Case Sensitive
Description (whatever you like)
Select the User or Group radio button
From the Authentication Server dropdown, select "rgid.local [Active Directory]"

I personally only have groups set up in here such as 'Domain Admins', 'Domain Users' etc.

Once you have all of those in place, then you should be able to get policies working for active directory.
Daniel ForresterDirectorAuthor Commented:
I've been through all my settings and everything is exactly as you have described above and it still doesn't work, the way i have introduced this box is to add it to an existing network and draytek firewall, I've changed the dhcp scope to have the watchguard as the gateway so all the clients go through this box, however the dc still uses the old draytek, do you think this could be contributing to the issues?
Chris MillardCommented:
Yep! Change the DC so that it too uses the WatchGuard.
Daniel ForresterDirectorAuthor Commented:
Ok, can you send me details of how to setup port forwarding for my mail server please as i'm unsure of how to do this.
Chris MillardCommented:
Sure no problem. For the purpose of this, pretend that the external interface of the XTM is on IP

Edit->Add Policy
Select SMTP under Packet Filters then click Add
In the New Policy window:-
From - Remove Any-Trusted
Add EITHER Any-External, or if your inbound SMTP comes from a specific IP or range of IPs, add those
(Our email is filtered by a 3rd party, so we have a set range of IPs that SMTP can come in from)

Remove Any-Trusted
Add->Add SNAT->Add
Give the SNAT a meaningful name (SMTP.SNAT)? and description
Beside the SNAT members windows, click Add
External / Option IP should be (or whatever your real external IP is)
Internal IP is that of the Exchange Server

Save all of that then save the config to the XTM, then any inbound traffic to the XTM on port 25 will be forwarded to the Exchange server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Daniel ForresterDirectorAuthor Commented:
done all this and it still doesnt  work!! can we setup a remote session and take a look?
Chris MillardCommented:
Sure - we can do, but I can't do so until Friday if that's OK?
Daniel ForresterDirectorAuthor Commented:
when i look at the ip settings for the client should the dns settings be the watchguard firebox?
Chris MillardCommented:
No. The DNS should be pointing to your regular internal DNS server, but the gateway should be set to the IP of the Firebox
Daniel ForresterDirectorAuthor Commented:
Yes thats how it is, was just checking.
Daniel ForresterDirectorAuthor Commented:
Can you confirm the policy that should be configured to block all 80 and 443 traffic just in case its down to that?
Chris MillardCommented:
I tell you what. You have my email address. Can you save your policy to disk and email me a copy? I'll load it up in my System Manager software and take a look.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.