Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 3 subscribers
  • Views 4758 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rules by groups don't work, by user do

Boldmen
UTM 9.103-5
I made a rule (RDP -> internet) that applies to one user (AD user), works fine.
When i changed that rule to a group (backend membership AD) the rule doesn't work anymore, the UTM blockes the rdp protocol.
But in the web proxy that group works fine, changing the Web Filtering Profiles.
I checked the AD  UTM connection by "Authenticate example use" and works.
In
Definitions & Users -> Users & Groups (blue !) the membership of the user in groups are not shown, but the web proxy works fine with that group membership. 
What can i do : )


This thread was automatically locked due to age.
  • 0
    Please show a picture of your Firewall rule. 

    Cheers - Bob

    Sorry for any short responses.  Posted from my iPhone.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    This is the log of the prefetch:


    Live Log: Directory user prefetch 
    Filter: 
    Autoscroll 
    Reload
    2013:07:21-17:25:15 utm user_prefetch[8197]: ------------------------------------------------------------
    2013:07:21-17:25:15 utm user_prefetch[8197]: # 1 Updating user DemoNAV
    2013:07:21-17:25:15 utm user_prefetch[8197]: # 2 Updating user Gunnar
    2013:07:21-17:25:15 utm user_prefetch[8197]: # 3 Updating user Adm05
    2013:07:21-17:25:16 utm user_prefetch[8197]: # 4 Updating user ADM-SQL
    2013:07:21-17:25:16 utm user_prefetch[8197]: 4 user objects were found:
    2013:07:21-17:25:16 utm user_prefetch[8197]: 0 users were created
    2013:07:21-17:25:16 utm user_prefetch[8197]: 4 users were updated
    2013:07:21-17:25:16 utm user_prefetch[8197]: 0 users are authenticated locally.
    2013:07:21-17:25:16 utm user_prefetch[8197]: Overall time: 0m 1s
    2013:07:21-22:25:25 utm user_prefetch[31450]: >=========================================================================
    2013:07:21-22:25:25 utm user_prefetch[31450]: ARGV: $VAR1 = [
    2013:07:21-22:25:25 utm user_prefetch[31450]: '--server-ref',
    2013:07:21-22:25:25 utm user_prefetch[31450]: 'REF_AutAdiSdc01neise'
    2013:07:21-22:25:25 utm user_prefetch[31450]: ];
    2013:07:21-22:25:25 utm user_prefetch[31450]:  using internal configuration from Confd
    2013:07:21-22:25:25 utm user_prefetch[31450]: Using contexts from confd object
    2013:07:21-22:25:25 utm user_prefetch[31450]: ldap server:
    2013:07:21-22:25:25 utm user_prefetch[31450]: server: 172.16.41.20
    2013:07:21-22:25:25 utm user_prefetch[31450]: port: 389
    2013:07:21-22:25:25 utm user_prefetch[31450]: ssl: 0
    2013:07:21-22:25:25 utm user_prefetch[31450]: bind_dn: CN=Adm05,CN=Users,DC=Neise,DC=de
    2013:07:21-22:25:25 utm user_prefetch[31450]: update: 1
    2013:07:21-22:25:25 utm user_prefetch[31450]: contexts:
    2013:07:21-22:25:25 utm user_prefetch[31450]: CN=POP-Mail-Access,OU=Groups,OU=Neise-MS,DC=Neise,DC=de
    2013:07:21-22:25:25 utm user_prefetch[31450]: CN=RDP-Admin,OU=Groups,OU=Neise-MS,DC=Neise,DC=de
    2013:07:21-22:25:25 utm user_prefetch[31450]: CN=Surfen-Full,OU=Groups,OU=Neise-MS,DC=Neise,DC=de
    2013:07:21-22:25:25 utm user_prefetch[31450]: ------------------------------------------------------------
    2013:07:21-22:25:25 utm user_prefetch[31450]: Starting synchronization for adirectory
    2013:07:21-22:25:25 utm user_prefetch[31450]: ------------------------------------------------------------
    2013:07:21-22:25:25 utm user_prefetch[31450]: ------------------------------------------------------------
    2013:07:21-22:25:25 utm user_prefetch[31450]: Searching for users
    2013:07:21-22:25:25 utm user_prefetch[31450]: ------------------------------------------------------------
    2013:07:21-22:25:25 utm user_prefetch[31450]: Connecting to ldap server
    2013:07:21-22:25:25 utm user_prefetch[31450]: ldap server: ldap://172.16.41.20:389
    2013:07:21-22:25:25 utm user_prefetch[31450]: Context 'CN=POP-Mail-Access,OU=Groups,OU=Neise-MS,DC=Neise,DC=de' is a group. Adding group members:
    2013:07:21-22:25:25 utm user_prefetch[31450]: CN=Gunnar Neise,OU=User,OU=Neise-MS,DC=Neise,DC=de
    2013:07:21-22:25:25 utm user_prefetch[31450]: Context 'CN=RDP-Admin,OU=Groups,OU=Neise-MS,DC=Neise,DC=de' is a group. Adding group members:
    2013:07:21-22:25:25 utm user_prefetch[31450]: CN=DemoNAV,OU=User,OU=Neise-MS,DC=Neise,DC=de
    2013:07:21-22:25:25 utm user_prefetch[31450]: CN=Gunnar Neise,OU=User,OU=Neise-MS,DC=Neise,DC=de
    2013:07:21-22:25:25 utm user_prefetch[31450]: CN=Adm05,CN=Users,DC=Neise,DC=de
    2013:07:21-22:25:25 utm user_prefetch[31450]: Context 'CN=Surfen-Full,OU=Groups,OU=Neise-MS,DC=Neise,DC=de' is a group. Adding group members:
    2013:07:21-22:25:25 utm user_prefetch[31450]: CN=ADM-SQL,CN=Users,DC=Neise,DC=de
    2013:07:21-22:25:25 utm user_prefetch[31450]: CN=Gunnar Neise,OU=User,OU=Neise-MS,DC=Neise,DC=de
    2013:07:21-22:25:25 utm user_prefetch[31450]: CN=Adm05,CN=Users,DC=Neise,DC=de
    2013:07:21-22:25:25 utm user_prefetch[31450]: ------------------------------------------------------------
    2013:07:21-22:25:25 utm user_prefetch[31450]: Performing ldap search:
    2013:07:21-22:25:25 utm user_prefetch[31450]: searching 'CN=Gunnar Neise,OU=User,OU=Neise-MS,DC=Neise,DC=de'
    2013:07:21-22:25:25 utm user_prefetch[31450]: searching 'CN=DemoNAV,OU=User,OU=Neise-MS,DC=Neise,DC=de'
    2013:07:21-22:25:25 utm user_prefetch[31450]: searching 'CN=Gunnar Neise,OU=User,OU=Neise-MS,DC=Neise,DC=de'
    2013:07:21-22:25:25 utm user_prefetch[31450]: searching 'CN=Adm05,CN=Users,DC=Neise,DC=de'
    2013:07:21-22:25:25 utm user_prefetch[31450]: searching 'CN=ADM-SQL,CN=Users,DC=Neise,DC=de'
    2013:07:21-22:25:25 utm user_prefetch[31450]: searching 'CN=Gunnar Neise,OU=User,OU=Neise-MS,DC=Neise,DC=de'
    2013:07:21-22:25:25 utm user_prefetch[31450]: searching 'CN=Adm05,CN=Users,DC=Neise,DC=de'
    2013:07:21-22:25:25 utm user_prefetch[31450]: Ldap search returned 7 users
    2013:07:21-22:25:25 utm user_prefetch[31450]: Search time: 0m 0s
    2013:07:21-22:25:25 utm user_prefetch[31450]: ------------------------------------------------------------
    2013:07:21-22:25:25 utm user_prefetch[31450]: Adding/updating users
    2013:07:21-22:25:25 utm user_prefetch[31450]: ------------------------------------------------------------
    2013:07:21-22:25:25 utm user_prefetch[31450]: # 1 Updating user DemoNAV
    2013:07:21-22:25:25 utm user_prefetch[31450]: # 2 Updating user Gunnar
    2013:07:21-22:25:25 utm user_prefetch[31450]: # 3 Updating user Adm05
    2013:07:21-22:25:25 utm user_prefetch[31450]: # 4 Updating user ADM-SQL
    2013:07:21-22:25:25 utm user_prefetch[31450]: 4 user objects were found:
    2013:07:21-22:25:25 utm user_prefetch[31450]: 0 users were created
    2013:07:21-22:25:25 utm user_prefetch[31450]: 4 users were updated
    2013:07:21-22:25:25 utm user_prefetch[31450]: 0 users are authenticated locally.
    2013:07:21-22:25:25 utm user_prefetch[31450]: Overall time: 0m 0s

    In the pictures you can see the problm: The user Gunnar is a member of the group RDP-Admin in the AD and also in the prefetch log, but it's not shown at the blue! in Users. 

    I deleted all Users and Groups, but no success!
  • 0
    In client authentication the group is in allowed users and groups?
  • 0
    Yes, the groups are all in there. 
    But anyhow, see the different in the pictures, in my UTM the user is in none group, in a other UTM the user is in the groups like it should be, and the rules are working fine:
  • 0
    Hi - for your interest. I have an open call to this issue.
    At the moment, it looks like a bug (firmware: 9.103-5)

    Nice greetings
  • 0
    I don't think this is a bug.  I think it's related to a two-year-old feature request: Reporting: AD/eDir Backend Group "Departments"

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I think it's a bug, because it's wors several times in other configs
  • 0 in reply to Boldmen

    Agree this seems like a bug. The groups do not work but adding individual users works well. Only tested on local network so the when the user is logged in via VPN might work.

  • 0 in reply to Joseph Jozwik

    We didn't have STAS in 2013, Joseph, so what they were expecting never worked - that's why I was confused by what they were asking.  Now, if you install STAS in your Windows server(s), you should be able to make firewall rules based on, for example, "Joseph (User Network)."

    I don't know if this capability has been extended to "{Backend Group} (User Group Network)" - please let us know if you try that.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML