Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
We'd love to hear about it! Click here to go to the product suggestion community
Do I have to do this:
to get this:
Long Version: Installed XG135. LOVE. Got everything running smoothly.
Boss: can we get more granular info? Set up workstation to dedicate to iView. Install iView. Seems to work OK. Until I go to get more granular info. Dashboards> Traffic> User
USER UNIDENTIFIED, BYTES 5.6, GB PERCENT 100%
This is because I did NOT do the AD integration, correct?
Hi Tony Argh
Yes, that is correct. (However, there are other flavors of associating a user database to your XG - LDAP, RADIUS, etc. but AD is the most commonly used and supported)
Then there are a couple of different options available:
Then creating a user-enforced firewall rule that applies a web policy.
In reply to FloSupport:
More or less. Ultimately if you do not have authentication then it should report on IP address. If you have authentication than it can report on the username. There are a few authentication services provided, but AD is the most common. There are a few different ways that the XG can learn who the user is at each IP. If you do not have AD you can still have XG-created users and a more limited way of determining which user is where.
clientless users - this is a permanent IP-User mapping. Typically non-AD users. Useful in non-AD environments, where devices are always used by one person, or servers which might do traffic but not have anyone logged in.
STAS - If I recall correctly there are a few AD integration, the most common is STAS
CAA - A client sitting in the system tray is used to log in an out
(web only) Captive Portal - web traffic from an unknown user gets redirected to a portal login page where they have to enter in username and password. Both AD and non-AD supported.
(web only) AD SSO (single sign on) - web traffic from an unknown user uses NTLM to automatically (silently) log in as same user. Only AD supported. Falls back to Captive Portal.
Do you want the user only for reporting purposes, or whether you want to apply different policies to different users. eg No one is allowed to visit Social Networking before 5pm... except the boss.
Do you have guest wifi access
Do you have byod wifi access - because personal phones are not typically associated with AD users
Do you have people changing their IP addresses
Do you have multiple people using the same computer
Do you only care about web, or about all traffic (just which users are using the firewall rule that allows the Clash of Clans port).
If some traffic is still not with a user is that ok, or are you looking to associate 100%
In reply to Michael Dunn:
Thanks for taking the time, guys. Yes, we use AD.
In reply to Tony Argh:
I would look at STAS. If that doesn't work out, AD SSO (NTLM) with fallback to captive portal. Phones would need to use captive portal, or you need to allow them without logging in and user logging.
One final question (hopefully) before I install STAS. Doing this today or tomorrow.
I set up SSL VPN on my XG and manually added my VPN people. Will setting this up have any impact on that?
Concerned that I have JEmployee setup there and then JEmployee set up in AD too.