Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 2 subscribers
  • Views 10389 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED and AD authentication

abens
I have a UTM 425 Version number 9.308-16.  We recently switched from and e-directory SSO to and Active Directory SSO.  We have web filtering set up so a proxy address is required in the browser, and a group of users authorized to access the internet.   Since moving over everyone is working fine except the two remote locations sitting behind RED 10's.  The get an authentication failed page.  It doesn't matter which user logs in, it happens on all users.

Web Filter Log for that IP
2015:03:13-13:26:06 Linus httpproxy[5971]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.82.3.128" dstip="" user="useradmin" ad_domain="SNOOPY" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xd67ad800" url="10.12.0.72:13111/" referer="" error="Target service not allowed" authtime="163" dnstime="0" cattime="0" avscantime="0" fullreqtime="2591529" device="0" auth="2" ua="" exceptions="av,content,url,mime,fileextension"

2015:03:13-13:29:41 Linus httpproxy[5971]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.82.3.128" dstip="" user="useradmin" ad_domain="SNOOPY" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdfbb4000" url="10.12.0.72:13111/" referer="" error="Target service not allowed" authtime="99" dnstime="0" cattime="0" avscantime="0" fullreqtime="4415844" device="0" auth="2" ua="" exceptions="av,content,url,mime,fileextension"

2015:03:13-13:31:11 Linus httpproxy[5971]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.82.3.128" dstip="" user="useradmin" ad_domain="SNOOPY" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xd5a8e000" url="10.12.0.72:13111/" referer="" error="Target service not allowed" authtime="233" dnstime="0" cattime="0" avscantime="0" fullreqtime="2230410" device="0" auth="2" ua="" exceptions="av,content,url,mime,fileextension"

Put in an exception for authentication and the users can now go out to the internet.  
Log Filter after exception added.

2015:03:13-13:44:54 Linus httpproxy[5971]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.82.3.128" dstip="93.184.215.200" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="13935" request="0xd60f4000" url="ie9cvlist.ie.microsoft.com/.../xml"

2015:03:13-13:44:57 Linus httpproxy[5971]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.82.3.128" dstip="131.253.40.59" user="" ad_domain="" statuscode="301" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xd8707800" url="g.msn.com/.../5.0)" exceptions="auth,url" application="msn" app-id="311"


2015:03:13-13:44:58 Linus httpproxy[5971]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.82.3.128" dstip="204.79.197.203" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="66723" request="0xd8707800" url="www.msn.com/en-us

If the user logs into any computer that is not behind the RED no problem, but if they are behind the RED then it fails without the exception in place.
Also when it was blocked the url was listed as url="10.12.0.72:13111/  This is the ip address of our Kaspersky system.  I thought that was strange also.


This thread was automatically locked due to age.
Parents
  • 0
    Al, with a 425, you must have a substantial number of users.  They don't need to be synced to the UTM for SSO.  Consider #6 in Rulz.  Support has a script that will delete all users synced from AD if you would like to limit prefetch to a few, select Groups.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    Al, with a 425, you must have a substantial number of users.  They don't need to be synced to the UTM for SSO.  Consider #6 in Rulz.  Support has a script that will delete all users synced from AD if you would like to limit prefetch to a few, select Groups.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML