Authentication logs show the user is authenticated correctly
However when browsing, the web filter doesn't pick up the user, so therefore doesn't apply the right policies
Any ideas where to look?
This thread was automatically locked due to age.
Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Authentication logs show the user is authenticated correctly
However when browsing, the web filter doesn't pick up the user, so therefore doesn't apply the right policies
Any ideas where to look?
No, no server protection client
Did you install SATC, which is End of Life? This tool does not work anymore.
__________________________________________________________________________________________________________________
Ok. That would explain it. Must have missed this. It's still available to download in the Sophos under authentication / client downloads?
What's the replacement to SATC to authenticate users on a terminal server?
Further to that, it's still listed in the Sophos documentation
And there's even a step by step document here: https://support.sophos.com/support/s/article/KB-000036877?language=en_US
The authentication part is working fine. It recognises and authenticates the user. It's just that the web policy doesn't recognise that authentication.
SATC was removed due the issues within SATC. It does not work with Internet Explorer, it does not work with Chrome anymore. It will not work, if you have enhanced AV protection by several AVs installed etc.
https://bugs.chromium.org/p/chromium/issues/detail?id=930750
Therefore SATC was removed and put into EoL state. It got replaced by Server Protection (Intercept X for Server) and a new feature in V19.0 with the legacy proxy.
Using V18.5 and Intercept X will work like before in SATC.
Using V19.0 and new feature multihost is a new technology to implement a terminal server authentication. You need to have v19.0 for this but you do not need intercept x. https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/HowToArticles/AuthenticationConfigurePerConnectionAuth/index.html#create-firewall-rules-for-multi-user-host-traffic
__________________________________________________________________________________________________________________
So, if a customer has a Sophos XG Firewall and doesn't use Sophos Antivirus, they can't have user based web filtering on a terminal server??
They can use the new feature in V19.0.
__________________________________________________________________________________________________________________
Version 19 isn't in general release though, and for a lot of customers means buying new hardware.
I am not sure, how many customers have a XG85/105 and a terminal server and not Intercept X. That is the only customer affected by this.
__________________________________________________________________________________________________________________