This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM9 Web filtering picks computer$ account for some users

Hi,

I am having very interesting problem. I have setup web filtering with active directory group and members of these groups can go to internet. I also set block action for the others who are not member of these groups. Some of my users which are members of these groups, blocked and when i checked the logs, i have found out that there is no user information for this users but only computer$ account. Those users are blocked and cannot use the internet now because of the block action.

I didnt set any proxy to my client yet.  I have checked couple of article and i couldnt find anything regarding to this either. When I set proxy on a client it comes with right information but otherwise keeps coming with computer$ account.

Has anyone ever struggle with this?

Regards,  



This thread was automatically locked due to age.
  • There are several ways of doing authentication, one of the common ones is NTLM.  IIRC NTLM will authenticate and cache that information for about 5 minutes before trying to authenticate again.  If the web request that is trying to authenticate comes from a browser or application running in user space, it will authenticate with that user.  If the request comes from something running as a system or computer account, it will authenticate like that.

    It will continue to use the computer account for five minutes, until it authenticates again.

    Off the top of my head, I do not recall what the solution is on the UTM.

  • Hi Michael,

    Thank you very much for you answer.

    If i make them come through proxy as you say because of the packages comes through browser it fixes the problem. But I have some firewall rules which determines, which user to go to which servers. As i created groups and all of my users connects through this rules. As far as i understand it will use computer account as well to try to connect fileserver. (All my servers are in DMZ and all group members connect through allowed ports) So this will be another problem if i use proxy for the web browsing.

    I am using STAS to send data to firewall on my DC but still some computers use computer$ account and in 5 or 10 mins doesnt change. 

    Do you believe there is a solution for this or is there any suggestion you can make me that i can follow?

    Again thank you. 

  • If you are using STAS then I don't think that you should ever be getting computer$ names.  I would look to your STAS configuration.  Sorry I cannot help more.

     

    https://community.sophos.com/kb/en-us/123141

    https://community.sophos.com/kb/en-us/123156

  • Merhaba Taner and welcome to the UTM Community!

    In general, I would skip Web Filtering for servers in the DMZ - is that what you're doing?

    Also, I don't understand "I am using STAS to send data to firewall on my DC."

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob

    Thank you very much. Yes I add server dmz ip to skip list. What i mean by STAS is actually i have 3 web access group as mail access, general and full permission and these group members in AD can get to internet according to their rights determined in sophos. On my dc STAS is set and running succesfully with no problem i can see all users who logged on to dc so web filtering can get the online data through STAS everything is ok so far but i have found out that some users can use somesites that they shouldn't. To block this i have added block action that if someone is not my domain member they dont go to internet which i try to make was to find out who is having problem.  When i have activated block action some users came to me and told me that they cannot go to internet at all so when i check the web filtering live logs i have seen that their computer tries to go to internet by using their computer$ account instead of using their username. That is why sophos cannot find out who is trying to comeout and block action rule blocking the computers straight away. I am trying to find how can i stop them sending computer account and start sending username

    Thank you very much again

    Regards

  • If you are not doing https-inspection, UTM cannot see the NTLM information or the path+querystring information in the packet, because this information is in the encrypted portion.   As a workaround, UTM assumes that the https user is the same as the last-known http user from the same IP.   If there is not an initial http packet, UTM has to default to the unauthenticated user policy.

    This is all documented, but I am sure it is easy to miss.   Most of the authentication methods do some form of IP-to-user inference.

  • Here is a list of ways to work around this limitation:

    1. Allow unauthenticated users to have access to a basic set of "safe" destinations.   After analysis of my traffic, I concluded that a significant amount of fat-client applications (that could not do NTLM) and operating system overhead (that will run when the user is logged out.)    As described in my Web Filtering lessons learned post, I use Standard Mode with AD SSO for web traffic, and Transparent Mode without authentication to protect everything else without creating unwanted blocks.    This strategy also provides a minimum set of capabilities to the user who connects to https before http.

    2. Use HTTPS Inspection (decrypt-and-scan).   This provides visibility to the NTLM information.   However, you will have some sites that are exempted from decrypt-and-scan.  If an exempt https site is the first thing referenced, you still face the possibility of an unauthenticated user event.

    3. Use GPO to fix the problem.   Your GPO probably sets every user's browser startup page to your organization's internal web page.  This does not go through UTM, so it does not help.   But you can also configure a second tab that opens your organization's external web site using an http: reference.   Whether the site either operates on http, or redirects from http to https, UTM will see the initial http connection attempt and identify the user.   (The same approach could be used with the Google search page.)   Using GPO with I.E. and Chrome is easy.   Other browsers can be customized with an extra-cost third-party tool.  (Opinion:  Any browser that cannot be configured with GPO should not be allowed to be installed within your organization.)
  • Hi Douglas,

    If you mean the https decryption under web filtering->Profile->HTTPS->Decrypt and scan the following is already selected for the https traffic. 

    Somehow still having the same problem.

     

  • Actually i believe that is already set.

    1. All users are domain member and they all use windows 10 pro every settings are same for all and only %2-3 of my users cannot get through.

    2.I already do this for a long time.

    3. My first web site is google but to be honestly the problem seems different as outlook, skype for business or anything on the computer stops. no internet at all. On that computer if i set proxy to sophos UTM internet comes straight and everything starts connecting but when i delete proxy settings from browser, on logs i start seeing only computer$ account straight again. 

    It is weird or i missed some points, i don't know but for sure there must be a part i have missed.

     

    Regards,

  • Full disclosure:  I have a love-hate relationship with decrypt-and-scan.   Currently, the love has gone cold so I am using it only on myself.   I may write a full post on the subject someday.  However, whenever I have used it, I used the unqualified "decrypt and scan" option.

    To solve your problem, you will need to look harder at the logs.   But I fully expect that:

    • the web traffic is occurring when the user is logged out, or
    • the traffic is not meeting the criteria on your screen shots.  Possibilities include:
      • the Filter Profile Allowed Networks object is not resolving correctly match your source IP  (in particular, I think there are problem with Network Range objects (partial subnets),
      • The source IP does not match the Filter Profile allowed networks list at all,
      • the site is uncategorized so it does not match your category list, or
      • an exception (such as Windows update) is bypassing decrypt-and-scan.