Authentication with AD based on groups

I´d like to do authentication based on groups. My appliance is a WSA500.

I only want to allow internet access to users in the AD group ghttp.

Is that possible?

If yes, please tell me how.



  • Hi Holger,

    There's several ways to achieve this goal, here is one way:

    First, make sure you set up AD Authentication on your appliance: 

    Sophos Web Appliance: requirements and best practices to setup authentication

    Configuring Active Directory Access

    Then you can set up your default policy to block all

    Lastly, you can set up an Additional Policy - specify AD group ghttp and allow the categories you would like for them to be able to access



  • In reply to Karlos:

    Thanks Karlos,


    I saw the points in the menus.

    But one question is coming up everytime:

    Why does everyone has access to the internet although I configured in the Group Policy default groups menu, that only specific groups are allowed to!?

    But I have users which are not member of this group ghttp which are still allowed to access the internet....

    Any thoughts?


    Or is your suggestion to fix it with additional Policy my solution already?

    Thanks in advance,



  • In reply to ChristianZittar:

    Under Default Groups, make sure that your radio button is selected as you are trying to configure.

    Under System Authentication, authentication failure, make sure that you Block access.


    If it is still allowing access that it shouldn't, under the Recent Activity Search, is it showing the usernames or the IPs?

  • In reply to Michael Dunn:

    Dear Michael,


    thanks for the informations.

    Under Default Groups I have selected the radio button, Only selectewd Entries

    Under System Authentication is Block Access

    Under Recent Activity Search I have the usernames.


  • In reply to ChristianZittar:

    Go to the Policy Test menu item.  Enter in the destination and user name and test.

    If the "Policy" that it hits is Default Policy, then you have a problem with Default Groups.

    If the Policy is the name of one of your additional policies, you have a problem with that one, check the first tab.

  • In reply to Michael Dunn:

    Thank you!! I wanted to do the same something in my site: and I could do it.

    Now, I will try to replicate to other sites I am managing.