Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 39 subscribers
  • Views 9786 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

User based policy with clientless SSO with Active Directory

PeterRL

Hi all.


I trying to configure some user based policies but i´m having some trouble is getting to the desired results (hope someone can help me in figure it out :))


I´ve followed the procedure written on this kb https://community.sophos.com/kb/en-US/123156 . Ive made the test of accessing to the firewallip:8090 i can successfully authenticate on my ActiveDirectory (Windows 2012 R2).


Also, wmi is enabled on my test computer and throught the DC i can make a WMI connection (using for example wmimgmt.msc). After all the configuration made, i´ve ve created a user policy to allow port TCP/4444, http, https and ftp to my username, however it is not working.

The Rule is:

from : Lan/user1

To: wan/any

Services:TCP/4444, HTTP, HTTPS, FTP

Masq

Scan HTTP

Allow and log


On the authentication log, i´ve noticed that the computer IPaddress is "mapped" to my username. Also, on the STAS software, i can see on the logs that my user is correclty mapped to the computer ipaddress. Perfomed also with success the STATS wmi verification and Registry Read Verification.


Wierd engough is that if i connect to the portal (firewallip:8090) and authenticate, the rule becomes active - so, my SSO is not working.


Does anyone can help is figuring this out please ?



This thread was automatically locked due to age.
  • 0
    When you log into the domain do you see any authentication entries on the XG?

    You should see messages in the log viewer for Authentication by the CTA.
  • 0 in reply to GtVYU

    Figure it out :)

    I was making RDP connections from my computer to servers using a adm account. Due to this, my computer ipaddress was being mapped the administrator, instead of my AD username.

    Thank you for the help GtVYU

  • 0 in reply to PeterRL

    i´m noticing that after some time, the rule is not effective anymore. On the authentication logs there is no change on the mapping of my computerip <> username.


    If i reauthenticate on the computer again (making a logoff/login), the rule is once again effective. [:(]


    I cannot see any info on the webgui logs that can lead to what is happening...

Unfiltered HTML