This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to replace Computer IP to AD User Name from Log Report?

Hi all,

I am a new Sophos Firewall user.

I need a detail information to trace who uses the computers (We have 5 computers to serve all staffs) and what websites are the user log in to.

I follow the article (https://community.sophos.com/kb/en-us/115659) and finish the point 1,2,3,4.

At Point 5, I have a confuse. If meet the purpose, does I need to create a proxy server in the window server?

Sorry for my bad English.

 



This thread was automatically locked due to age.
  • Hello,

    the proxy server is in the UTM called web protection. It depends on your needs if you use a transparent or standard mode. You can find good descriptions here, for example from DouglasFoster I think.

    Best

    Alex

    -

  • I already set to Transparent mode, but the log still shows by IP.

    Also whats means of " FQDN (to force auth by Kerberos instead of NTLM) of the UTM's 'Internal (Address)'" ? It means Sophos Firewall IP?

    Thanks a lot!

  • If the webfilter log does not have usernames, it is because you are not doing authentication.

    If the webfilter log has IP addresses instead of host names, it is because you have not configured Reverse DNS lookups from UTM to your internal DNS server. 

    If UTM is your only DNS and DHCP server, the logs may not contain host names.   I say this because other posts in this forum indicate that the UTM DHCP server does not update the UTM DNS with host names.  I do not use UTM for DHCP so I cannot say this from personal experience.

    There is a lot of valuable information in this forum that is not in the manuals.   Start by reading the articles in the Wiki section of this forum.  Then read my post in the WebFilter sub-forum about Web Filtering lessons learned.

     

  • Hi and welcome to the UTM Community!

    I have pinned the post to which DouglasFoster refers at the top of the Web Filtering forum.

    To answer your question, I will use an example.  Assuming that the IP of "Internal (Address)" is 10.1.1.1 and that utm.domain.local resolves to 10.1.1.1 in your local domain, use utm.domain.local in the 'Proxy Settings' in the clients' browsers.  This causes the UTM web proxy to query Active Directory using Kerberos.  Using 10.1.1.1 in 'Proxy Settings' would cause the UTM to use NTLM with AD, and that is less reliable.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • HI Bob,

    Thanks for reply. 

    I don't know why it still not ok. 

    I will try and error!