The Sophos Community will be unavailable from 13:00 to 18:00 UTC this Saturday, October 1st for upgrades. Stay tuned to our Twitter account @SophosSupport for updates.
This article outlines the configuration steps and requirements for using Active Directory (AD) and Single Sign On (SSO) in Transparent Mode.
The following sections are covered:
Cannot enable Web Application Firewall when one or more Web Filter Profiles are using ActiveDirectory SSO in transparent mode.
This is due to the UTM having to listen on port 80 for both the WAF and a Transparent Mode proxy configuration, which is currently not supported. See, Sophos UTM: Transparent AD SSO conflicts with WAF, User Portal or SSL VPN
You can authenticate only standard HTTP requests through the proxy when using AD/SSO in Transparent Mode. This only works when your browser makes a standard (non HTTPS) web request, and may not work for the applications and services listed below:
However, in UTM F/W >= 9.111, the proxy will use the last successful cached authentication for the same user, when non-standard web requests (HTTPS) are made, or when a non-browser application makes a web request.
This feature will prevent further authentication challenges from the proxy as long as there is an initial (successful) standard HTTP request which has been authenticated.
To use this feature, you must enable Web Filtering on the UTM. Do the following:
NOTE: SSO Authentication in Transparent Mode may fail due to an internal LAN resource (the UTM) being treated as a public URL. To resolve this issue, follows the steps in Browser configuration (Windows).
NOTE: Mac (OS X) does not support NTLM authentication, only Kerberos. Therefore, if you are using Mac (OS X) clients on your AD network and would like them to be authenticated with Single Sign On (SSO) in Transparent Mode through the proxy, your AD server must be configured for Kerberos authentication.
If a device trying to go through the proxy does not support Kerberos or NTLM, a browser window pops up for you tologin with your AD credentials.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.