The college recently purchased a new Sophos Email Security appliance model. It was very easy to setup and I’m looking forward to having PureMessage filtering our spam and crapmail attacks, it’ll be a good thing.
The Active Directory integration is not a polished as their Web Security appliances’ are. We have two WS1000 appliances, also from Sophos. Both hooked right into AD and pulled down both students and staff accounts without issue. Even indicated what sub-domains it found during the process. Top notch, no brainer installation.
The problem I’m writing about is the ES4000 appliance’s inability to detect our second domain in the same forest as the domain our service account is in. First off, it couldn’t even automatically detect settings using the same service account using the “Detect Settings…†feature. An undocumented bug was documented on experts-exchange.com with the workaround being you have to use an account with Schema Admin privileges in the domain’s original Users OU. Once detected, you could move the user and modify the DN used to authenticate.
Okay, that one was fixed. But I still couldn’t sync both staff and students – even if I pointed the Base DN to the top domain or left it blank.
I opened a case with Sophos and went through first level support. After 48 hours (plus a weekend) of remote support they kicked me to second tier.
Second tier connected remotely and continue the troubleshooting. After an hour or so they found a workaround and had me test it. Success.
Fix: Replace the Base DN for users/groups with a single space. Done and now it works. I’m not much of an LDAP junkie, but I would consider that a bug.
Anyway, it works for me and I hope it helps someone else out there scratching their head wondering why the eff their ES4000 is not working.
Side note: All in all, Sophos support is pretty good I just wish they would read my entire email before firing back the first canned response that essentially was exactly what I had already done. For anyone absolutely buried with this product, I can highly recommend leveraging their consulting services. Well worth the small price to get it done right the first time.