{"id":479,"date":"2020-02-05T15:59:38","date_gmt":"2020-02-05T12:59:38","guid":{"rendered":"http:\/\/as7ablog.com\/kinan\/?p=479"},"modified":"2020-02-05T15:59:40","modified_gmt":"2020-02-05T12:59:40","slug":"adfs-with-sophos-xg-firewall","status":"publish","type":"post","link":"http:\/\/as7ablog.com\/kinan\/?p=479","title":{"rendered":"ADFS With Sophos XG Firewall"},"content":{"rendered":"\n<div class=\"WordSection1\" dir=\"RTL\">\n\n<p dir=\"LTR\">It&#8217;s basically simple process.<br>\nYou may even use the Exchange ready-made firewall publishing policy as base for\nthis one.<br>\n<em>This is for SFOS 17.X<\/em><br>\n<br>\n<\/p>\n\n<p dir=\"LTR\">So, let&#8217; move on:<\/p>\n\n<p dir=\"LTR\" style='margin-left:36.0pt;text-indent:-18.0pt'><span>1.<span style='font:7.0pt \"Times New Roman\"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n<\/span><\/span><span dir=\"LTR\"><\/span>I assume you already have the SSL\ncertificate installed properly on the XG box.<\/p>\n\n<p dir=\"LTR\" style='margin-left:36.0pt;text-indent:-18.0pt'><span>2.<span style='font:7.0pt \"Times New Roman\"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n<\/span><\/span><span dir=\"LTR\"><\/span>Need to add the ADFS server to\nhave a name under &quot;Hosts <span class=\"SpellE\">andServices<\/span>&quot;<\/p>\n\n<p dir=\"LTR\" style='margin-left:36.0pt;text-indent:-18.0pt'><span>3.<span style='font:7.0pt \"Times New Roman\"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n<\/span><\/span><span dir=\"LTR\"><\/span>Create new &quot;Web Server&quot;\nentry and use the host you added in step 1<\/p>\n\n<p dir=\"LTR\" style='margin-left:36.0pt;text-indent:-18.0pt'><span>4.<span style='font:7.0pt \"Times New Roman\"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n<\/span><\/span><span dir=\"LTR\"><\/span>Create new protection policy with\nthese settings:<\/p>\n\n<p dir=\"LTR\" style='margin-left:72.0pt;text-indent:-18.0pt'><span>a.<span style='font:7.0pt \"Times New Roman\"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n<\/span><\/span><span dir=\"LTR\"><\/span>Set \u201cMode\u201d to \u201cMonitor\u201d. You may\nuse \u201cReject\u201d if you\u2019re concerned.<\/p>\n\n<p dir=\"LTR\" style='margin-left:72.0pt;text-indent:-18.0pt'><span>b.<span style='font:7.0pt \"Times New Roman\"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n<\/span><\/span><span dir=\"LTR\"><\/span>Enable \u201cBlock clients with bad\nreputation\u201d.<\/p>\n\n<p dir=\"LTR\" style='margin-left:72.0pt;text-indent:-18.0pt'><span>c.<span style='font:7.0pt \"Times New Roman\"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n<\/span><\/span><span dir=\"LTR\"><\/span>Enable \u201cCommon threat filter\u201d.<\/p>\n\n<p dir=\"LTR\" style='margin-left:36.0pt;text-indent:-18.0pt'><span>5.<span style='font:7.0pt \"Times New Roman\"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n<\/span><\/span><span dir=\"LTR\"><\/span>Create new business rule with\nthese settings:<\/p>\n\n<p dir=\"LTR\" style='margin-left:72.0pt;text-indent:-18.0pt'><span>a.<span style='font:7.0pt \"Times New Roman\"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n<\/span><\/span><span dir=\"LTR\"><\/span>Hosted\naddress \u201c#Port2\u201d assuming it\u2019s the WAN port.<\/p>\n\n<p dir=\"LTR\" style='margin-left:72.0pt;text-indent:-18.0pt'><span>b.<span style='font:7.0pt \"Times New Roman\"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n<\/span><\/span><span dir=\"LTR\"><\/span>Enable \u201cHTTPS\u201d.<\/p>\n\n<p dir=\"LTR\" style='margin-left:72.0pt;text-indent:-18.0pt'><span>c.<span style='font:7.0pt \"Times New Roman\"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n<\/span><\/span><span dir=\"LTR\"><\/span>Select the SSL certificate, and\nadd the URL under \u201cDomains\u201d.<br>\nFor example \u201cadfs.as7ablog.com\u201d.<\/p>\n\n<p dir=\"LTR\" style='margin-left:72.0pt;text-indent:-18.0pt'><span>d.<span style='font:7.0pt \"Times New Roman\"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n<\/span><\/span><span dir=\"LTR\"><\/span>Under \u201cprotected server(s)\u201d select\nthe ADFS server.<\/p>\n\n<p dir=\"LTR\" style='margin-left:72.0pt;text-indent:-18.0pt'><span>e.<span style='font:7.0pt \"Times New Roman\"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n<\/span><\/span><span dir=\"LTR\"><\/span>Select the \u201cAny IPv4\u201d under \u201cAccess\npermission\u201d.<\/p>\n\n<p dir=\"LTR\" style='margin-left:72.0pt;text-indent:-18.0pt'><span>f.<span style='font:7.0pt \"Times New Roman\"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n<\/span><\/span><span dir=\"LTR\"><\/span>Select the protection policy you\u2019ve\ncreated on step 4.<\/p>\n\n<p dir=\"LTR\" style='margin-left:72.0pt;text-indent:-18.0pt'><span>g.<span style='font:7.0pt \"Times New Roman\"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n<\/span><\/span><span dir=\"LTR\"><\/span>Select the intrusion prevention\npolicy if you like to.<\/p>\n\n<p dir=\"LTR\" style='margin-left:72.0pt;text-indent:-18.0pt'><span>h.<span style='font:7.0pt \"Times New Roman\"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n<\/span><\/span><span dir=\"LTR\"><\/span>Enable &quot;Pass host\nheader&quot;<\/p>\n\n<\/div>\n<!-- \/wp:post-content -->","protected":false},"excerpt":{"rendered":"<p>It&#8217;s basically simple process. You may even use the Exchange ready-made firewall publishing policy as base for this one. This is for SFOS 17.X So, let&#8217; move on: 1.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; I assume you already have the SSL certificate installed properly on the XG box. 2.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Need to add the ADFS server to have a name under [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[4],"tags":[45,30,14,29],"class_list":["post-479","post","type-post","status-publish","format-standard","hentry","category-4","tag-adfs","tag-firewalls","tag-microsoft","tag-sophos"],"_links":{"self":[{"href":"http:\/\/as7ablog.com\/kinan\/index.php?rest_route=\/wp\/v2\/posts\/479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/as7ablog.com\/kinan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/as7ablog.com\/kinan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/as7ablog.com\/kinan\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/as7ablog.com\/kinan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=479"}],"version-history":[{"count":5,"href":"http:\/\/as7ablog.com\/kinan\/index.php?rest_route=\/wp\/v2\/posts\/479\/revisions"}],"predecessor-version":[{"id":485,"href":"http:\/\/as7ablog.com\/kinan\/index.php?rest_route=\/wp\/v2\/posts\/479\/revisions\/485"}],"wp:attachment":[{"href":"http:\/\/as7ablog.com\/kinan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=479"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/as7ablog.com\/kinan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=479"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/as7ablog.com\/kinan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}