A few days ago I started a trial of SFOS 18.5 as a Hyper-V VM, specifically to trial the Web Filtering feature.
Our users log on to Server 2012R2 Remote Desktop Servers.
I've followed the guides on the website to add an AD server along with the groups I would like to use with Web Filtering. I've created Web Filtering Policies and assigned the groups to them accordingly.
I then setup a firewall rule to allow web filtering.
My initial problem was that the proxy was intercepting the traffic, but was not filtering the user. I could tell from the logs that it could see the correct user group.
After some Googling I came across this post and came to the conclusion that Web Filtering on RD Servers is not supported without the SATC client installed, but the SATC client is EOL. However, SFOS 19 uses direct proxy with AD SSO.
This morning I have upgraded to SFOS 19 and implemented the AD SSO thing per this guide.
When I try to browse the web via the web filter (Chrome), I immediately get the error "ERR_TUNNEL_CONNECTION_FAILED".
I've checked the XG log and get the following error message:
messageid="17945" log_type="Event" log_component="AD SSO" log_subtype="Authentication" status="Failed" user="" user_group="" client_used="" auth_mechanism="" reason="" src_ip="DC_IP_ADDRESS" message="Cannot establish NTLM authentication channel with MyDomainName" name="" src_mac=""
Text in red has been changed by me.
I've followed the instructions again and as far as I can tell I have done everything OK. I can log into the XG with my Domain account.
Your AD SSO (Kerberos) does not work. So everything in the Guide is using this step.
The Firewall will be added to your domain. So you need Domain Admin Rights in the firewall in the first place to add this (or at least higher privileges). Check if your Firewall was added or not.
Check the log in /log/nasm.log for more information. (Advanced Shell)