Do you have the same problem, that every failed login at the Sophos UTM WebAdmin or UserPortal or VPN locks your Active Directory Account? It’s the problem that the UTM asks every single server listed under authentication services regardless of whether they are all domain controllers of the same domain.
There is a workaround keeping redundancy of multiple servers but letting the UTM asking only once in case of a failure. You have to configure an availability group containing your active directory domaincontrollers:
The UTM will now only ask once. Keep in mind that a configured radius server for wireless protection will be also asked ;) i think we need to start a feature request for combining directory server based on the BaseDN.