This article outlines the configuration steps and requirements for using Active Directory (AD) and Single Sign On (SSO) in Transparent Mode.
The following sections are covered:
Cannot enable Web Application Firewall when one or more Web Filter Profiles are using ActiveDirectory SSO in transparent mode.
This is due to the UTM having to listen on port 80 for both the WAF and a Transparent Mode proxy configuration, which is currently not supported. See, Sophos UTM: Transparent AD SSO conflicts with WAF, User Portal or SSL VPN
You can authenticate only standard HTTP requests through the proxy when using AD/SSO in Transparent Mode. This only works when your browser makes a standard (non HTTPS) web request, and may not work for the applications and services listed below:
However, in UTM F/W >= 9.111, the proxy will use the last successful cached authentication for the same user, when non-standard web requests (HTTPS) are made, or when a non-browser application makes a web request.
This feature will prevent further authentication challenges from the proxy as long as there is an initial (successful) standard HTTP request which has been authenticated.
To use this feature, you must enable Web Filtering on the UTM. Do the following:
NOTE: Mac (OS X) does not support NTLM authentication, only Kerberos. Therefore, if you are using Mac (OS X) clients on your AD network and would like them to be authenticated with Single Sign On (SSO) in Transparent Mode through the proxy, your AD server must be configured for Kerberos authentication.
If a device trying to go through the proxy does not support Kerberos or NTLM, a browser window pops up for you tologin with your AD credentials.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.