Sophos UTM AD integration

Even if the internal clients refer to the AD-DNS server, it is not necessary to delete them from the "allowed networks" list.

the other looks good.

Sophos has not explained the relationship between joining the domain and configuring an AD authentication server.   Here is what I think is involved:

• Domain join is needed for web filter to do transparent authentication (AD SSO).   It is sufficient for all domains that are trusted by the connected domain.   I don't think there is any way to do AD SSO for a second domain that is untrusted.
• AD Authentication server is used for logins to User Portal, WAF, SSL Client, and optionally WebAdmin.  AD Authentication server is probably needed to evaluate group memberships for web filter policy enforcement.

At any rate, I joined my UTM to the domain before I configured the AD authentication server, because I assumed that order was necessary. 

Authentication servers are evaluated in order of precedence.   You can actually see this step-by-step process in the user authentication log.   If you configure two domain controllers for the same domain, any single typing error will be attempted and rejected by each configured authentication server.   This will cause user lockouts to happen twice as fast, so you need to decide if this is acceptable.    I have only configured one DC, but mine have very high uptime, so it has not been a problem.   As a compromise, you might consider configuring both domain controllers but leaving the secondary one disabled until it is needed, and then enable it manually.

Web Filter needs Reverse DNS lookups if you want it to contain host names instead of IP addresses.   In an environment where most addresses are distributed by DHCP, host names may be preferable, so it may be desirable to configure DNS forwarders for in-addr.arpa address ranges as well as your forward lookup ranges.

Web filtering is the strongest part of UTM, but it has some complexity.   Firewall Rules behavior is the weakest and least intuitive.   I have attempted to document everything that I wished was in the Administration Manual.   Most of that material is in the Recommended Read section.   There is also a Web Filter Lessons Learned at the top of the Web Filter topic/forum area.

All looks great again, Doug - good explanation.  There is no relationship between defining an AD server and joining the UTM to the domain, they are independent and can be done in any order.

Zak, you might also be interested in DNS best practice and Configuring HTTP/S proxy access with AD SSO  Although the article is aimed at Standard mode, 98% of it applies to Transparent mode, too.

Cheers - Bob

Can you clarify what capabilities are enabled by virtue of joining a domain?   How close was my guess?

Some quick hits on web filtering:

• Create a firewall rule to block UDP 443.   Otherwise the Chrome browser will use the QUIC protocol to bypass your web filter completely.
  
  
• The best protection is to enable https inspection.   At least 75% of business traffic uses https, so if you do not inspect, you can only filter on URL, not on content.   But enabling https inspection requires a lot of system management effort to detect and correct false positives.   I have run both ways, currently it is off, but I am thinking I should turn it back on.
  
  
• I recommend using both Standard Mode and Transparent Mode.   Standard Mode intercepts traffic on non-standard ports, while Transparent Mode intercepts traffic that attempts to bypass the Standard Proxy.   The combination means that Standard Mode filters browser traffic, and Transparent Mode filters non-browser traffic.   I found that about 50% of my http(s) traffic was not browser-based.  

I don't believe that joining a domain does any more than you said, Doug - allow AD-SSO to work in Web Filtering.

Agreed with your recommendations.  The Standard mode Web Filtering Profile for a subnet MUST come before the Transparent mode one for the same subnet - otherwise the Transparent mode Profile will always be used for the subnet in question.

Cheers - Bob