This article provides information about the behavior of the UTM HTTP Proxy with Transparent AD SSO. The following sections are covered:
Applies to the following Sophos products and versions Sophos UTM Software Appliance
In transparent mode, when a user opens Internet Explorer, the normal order of events for AD SSO is:
Client > Proxy GET http://www.bing.com [^] Proxy > Client 307 Redirect to utm-hostname/auth (Note: It uses the hostname not the FQDN by default) Client > Proxy GET utm-hostname/auth Proxy > Client 401 Forbidden, auth required Client > Proxy GET utm-hostname/auth with authentication Proxy > Client 307 Redirect to http://www.bing.com [^] Client > Proxy GET http://www.bing.com [^]
This process has a few requirements:
cc set http adsso_redirect_use_hostname 0
The following request types are not standard and will not cause authentication:
Effects may vary, for example: If SSO is not automatic and causes a browser popup, then going to a site like http://de.msn.com/?rd=1&ucc=DE&dcc=DE&opt=0 [^] causes the HTML page to load based on the last known user. This may cause it to load 20 images in parallel. For each of these GET requests, it will try to authenticate and each one causes a pop-up. If there is no last known user, the cache is empty, it will choose the first All Users policy. This could be a base policy that is configured to block all. In this case, it appears to the user that they are blocked due to category without having the opportunity to log in.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.