We'd love to hear about it! Click here to go to the product suggestion community
Just working on a test XG box before going live.
We are a large org and group memberships change quite often. People are a member of many groups for web access
Here is an example I cant get working - but works fine on UTM's.
USER1 is in "Finance Team" group by default this policy blocks all streaming video, but some users need YouTube and Vimeo and they are in an AD group called "Allow YouTube" or "Allow Vimeo" but this is still been blocked after adding this in web policy above the block - this is using the URL's.
The group is added fine but shows no members. Doing a sync test on AD works fine, its just not updating the group members on its own.
When looking in "Users" they are there but with just there primary group, and not all the other web groups they are a member of.
Any ideas ?
Hi DuncanNewell Please refer the article for Sophos Firewall: Group membership behavior with Active Directoryhttps://community.sophos.com/kb/en-us/123161
In reply to Keyur:
Thanks for the reply, is there a way to do this without using "Captive Portal" as this would be a big culture change for our users. Currently with UTM they just access the internet and it works, doing it that way would add a massive layer of complexity and cause more issues for users. They need it to work same as it does now with UTM, without doing anything additional. This seems a backward step.
In reply to DuncanNewell:
Hi DuncanNewell I would recommend you to use the STAS authentication- https://community.sophos.com/kb/en-us/123156As soon as the user logged in the Windows machine through AD as a domain user, It will authenticate in the XG firewall and able to access the Internet.
Thanks for the info, I will take a look, one thing I noticed is that this says "This article explains how to integrate STAS in an environment with a single Active Directory Server." we have multiple domain controllers - around 20 - so I guess this needs to go on all of them.
Hi DuncanNewell Please refer to the article- https://community.sophos.com/kb/en-us/123154https://community.sophos.com/kb/en-us/133531
The point is, XG knows all Groups of all users but actually does not show the group membership on GUI.
So basically, the groups are empty except the main group (default group).
So your rule set (first match) should work fine.
In reply to LuCar Toni:
Thanks for the info _ will have to look into STAS, bit of a pain for large org's like us with 20 or so DC's if the client needs to go on each, wish it worked same as UTM's.