Sophos UTM9 Web filtering picks computer$ account for some users

There are several ways of doing authentication, one of the common ones is NTLM.  IIRC NTLM will authenticate and cache that information for about 5 minutes before trying to authenticate again.  If the web request that is trying to authenticate comes from a browser or application running in user space, it will authenticate with that user.  If the request comes from something running as a system or computer account, it will authenticate like that.

It will continue to use the computer account for five minutes, until it authenticates again.

Off the top of my head, I do not recall what the solution is on the UTM.

Hi Michael,

Thank you very much for you answer.

If i make them come through proxy as you say because of the packages comes through browser it fixes the problem. But I have some firewall rules which determines, which user to go to which servers. As i created groups and all of my users connects through this rules. As far as i understand it will use computer account as well to try to connect fileserver. (All my servers are in DMZ and all group members connect through allowed ports) So this will be another problem if i use proxy for the web browsing.

I am using STAS to send data to firewall on my DC but still some computers use computer$ account and in 5 or 10 mins doesnt change. 

Do you believe there is a solution for this or is there any suggestion you can make me that i can follow?

Again thank you. 

If you are using STAS then I don't think that you should ever be getting computer$ names.  I would look to your STAS configuration.  Sorry I cannot help more.

https://community.sophos.com/kb/en-us/123141

https://community.sophos.com/kb/en-us/123156

Merhaba Taner and welcome to the UTM Community!

In general, I would skip Web Filtering for servers in the DMZ - is that what you're doing?

Also, I don't understand "I am using STAS to send data to firewall on my DC."

Cheers - Bob

Hi Bob

Thank you very much. Yes I add server dmz ip to skip list. What i mean by STAS is actually i have 3 web access group as mail access, general and full permission and these group members in AD can get to internet according to their rights determined in sophos. On my dc STAS is set and running succesfully with no problem i can see all users who logged on to dc so web filtering can get the online data through STAS everything is ok so far but i have found out that some users can use somesites that they shouldn't. To block this i have added block action that if someone is not my domain member they dont go to internet which i try to make was to find out who is having problem.  When i have activated block action some users came to me and told me that they cannot go to internet at all so when i check the web filtering live logs i have seen that their computer tries to go to internet by using their computer$ account instead of using their username. That is why sophos cannot find out who is trying to comeout and block action rule blocking the computers straight away. I am trying to find how can i stop them sending computer account and start sending username

Thank you very much again

Regards

If you are not doing https-inspection, UTM cannot see the NTLM information or the path+querystring information in the packet, because this information is in the encrypted portion.   As a workaround, UTM assumes that the https user is the same as the last-known http user from the same IP.   If there is not an initial http packet, UTM has to default to the unauthenticated user policy.

This is all documented, but I am sure it is easy to miss.   Most of the authentication methods do some form of IP-to-user inference.

Here is a list of ways to work around this limitation:

1. Allow unauthenticated users to have access to a basic set of "safe" destinations.   After analysis of my traffic, I concluded that a significant amount of fat-client applications (that could not do NTLM) and operating system overhead (that will run when the user is logged out.)    As described in my Web Filtering lessons learned post, I use Standard Mode with AD SSO for web traffic, and Transparent Mode without authentication to protect everything else without creating unwanted blocks.    This strategy also provides a minimum set of capabilities to the user who connects to https before http.
   
   
2. Use HTTPS Inspection (decrypt-and-scan).   This provides visibility to the NTLM information.   However, you will have some sites that are exempted from decrypt-and-scan.  If an exempt https site is the first thing referenced, you still face the possibility of an unauthenticated user event.
   
   
3. Use GPO to fix the problem.   Your GPO probably sets every user's browser startup page to your organization's internal web page.  This does not go through UTM, so it does not help.   But you can also configure a second tab that opens your organization's external web site using an http: reference.   Whether the site either operates on http, or redirects from http to https, UTM will see the initial http connection attempt and identify the user.   (The same approach could be used with the Google search page.)   Using GPO with I.E. and Chrome is easy.   Other browsers can be customized with an extra-cost third-party tool.  (Opinion:  Any browser that cannot be configured with GPO should not be allowed to be installed within your organization.)

Hi Douglas,

If you mean the https decryption under web filtering->Profile->HTTPS->Decrypt and scan the following is already selected for the https traffic. 

Somehow still having the same problem.

Actually i believe that is already set.

1. All users are domain member and they all use windows 10 pro every settings are same for all and only %2-3 of my users cannot get through.

2.I already do this for a long time.

3. My first web site is google but to be honestly the problem seems different as outlook, skype for business or anything on the computer stops. no internet at all. On that computer if i set proxy to sophos UTM internet comes straight and everything starts connecting but when i delete proxy settings from browser, on logs i start seeing only computer$ account straight again. 

It is weird or i missed some points, i don't know but for sure there must be a part i have missed.

Regards,

Full disclosure:  I have a love-hate relationship with decrypt-and-scan.   Currently, the love has gone cold so I am using it only on myself.   I may write a full post on the subject someday.  However, whenever I have used it, I used the unqualified "decrypt and scan" option.

To solve your problem, you will need to look harder at the logs.   But I fully expect that:

• the web traffic is occurring when the user is logged out, or
• the traffic is not meeting the criteria on your screen shots.  Possibilities include:
  • the Filter Profile Allowed Networks object is not resolving correctly match your source IP  (in particular, I think there are problem with Network Range objects (partial subnets),
  • The source IP does not match the Filter Profile allowed networks list at all,
  • the site is uncategorized so it does not match your category list, or
  • an exception (such as Windows update) is bypassing decrypt-and-scan.

To be honestly I thought at the beginning the same thing and checked sophos logs and network logs every item sees username but only sophos picks the computer$ account information. The user connects with Cisco ISE radius and logon to domain with username and password i can see he is logged-in in STAS as well. but when trying to go to internet computer$ account coming out somehow. From the same location %99 is connected with no problem at all.

* Source IP is in the list already.

* Site does not matter because what ever you try to do get the same output. Only when i added proxy settings on explorer helps

* Windows Update goes through WSUS or there is no any other service tries to go out except outlook for office 365 and skype for business. But these are all same for my all other users. I have 350 Users trying to use internet at the same time and only %5 is facing this problem.

Regards,

To be honestly I thought at the beginning the same thing and checked sophos logs and network logs every item sees username but only sophos picks the computer$ account information. The user connects with Cisco ISE radius and logon to domain with username and password i can see he is logged-in in STAS as well. but when trying to go to internet computer$ account coming out somehow. From the same location %99 is connected with no problem at all.

* Source IP is in the list already.

* Site does not matter because what ever you try to do get the same output. Only when i added proxy settings on explorer helps

* Windows Update goes through WSUS or there is no any other service tries to go out except outlook for office 365 and skype for business. But these are all same for my all other users. I have 350 Users trying to use internet at the same time and only %5 is facing this problem.

Regards,

I am suddenly confused and out of my element.  I thought we were dealing with AD SSO.   If you are talking Remote access using Radius, followed by web filtering using STAS, your configuration is very different from any that I have used.    

However, the general outlines are similar:   STAS is used to infer the username from the IP address.   If it is not capturing the username, then the IP-to-user mapping is not active at thr moment of that web access.

Overall, it is time to call Support for help with debugging.

Tanner,

Go to Current Activities, Live Users.

If you see entries there with client type NTLM, that means that STAS has failed.  Then if you see $computername that means that NTLM has failed to use the current user and is using the computername instead.

The first order of business is to figure out why STAS is failing.  The fact that it is falling back to using NTLM for AD SSO is a symptom of an STAS problem.  There is no purpose is trying to debug your AD SSO using $computername when it should ideally not be hitting that codepath at all.

Some things to consider:

If you go to Administration, Device Access you can turn on NTLM (AD SSO).  This will make the users hit Captive Portal rather NTLM.

If you go to your firewall rules and uncheck "Show captive portal to unknown users" this will prevent the rule from matching when the user is not known and using NTLM/Captive Portal to attempt to figure out the user.

However changing both of those will just change the symptom of your underlying problem - STAS failure.

EDIT - Sorry the above instructions are for XG not UTM.  However the underlying issue is the same.

Hi Michael,

I have attached the screenshots. I can see all log in users i have no problem with this actually i can see regarding user here as well i mean his computer tries to connect with computer$ account as i can see in the block action in logs but on stas i can see he is logged in. I couldnt get the tabs and menus that you mention. If you can guide me i can check again. 

To expand on Michael Dun's post, the web filter logs have an auth="value" clause which can help you confirm which authentication method is being used.   

This is the list that I assembled from available sources awhile ago.   I do not know what code is used by STAS.

0 No authentication
1 Basic
2 AD SSO
3 eDirector SSO
4 Browser
5 OpenDirectory
6 Agent

I am still intrigued by your reference to RADIUS.   STAS is intended for internal machines where the user logs into Active Directory.   So STAS should work if a remote user uses RDP or VNC to log onto his PC at work.   I would not expect it to work if a roaming laptop connects using a VPN client with full tunnelling, and then attempts to web surf on the internet.   

STAS might work if the roaming PC is a domain member and the VPN stack is loaded during the boot process, but even that seems likely to be unreliable.

Taner Demirtas said:

I have attached the screenshots. I can see all log in users i have no problem with this actually i can see regarding user here as well i mean his computer tries to connect with computer$ account as i can see in the block action in logs but on stas i can see he is logged in. I couldnt get the tabs and menus that you mention. If you can guide me i can check again.

Sorry, I with thinking XG not UTM.

In every Web Filter Profile that you are using, what do you have set for Authentication?

I think you should have Agent.  See https://community.sophos.com/kb/en-us/126939

In Authentication Services, Single Sign On, you are likely joined to a domain.  Remove the username and password and hit Apply, this will unjoin you.  That will turn off NTLM.

However this is getting out of my area of knowledge.  Hopefully someone else can help you better.

Actually You can see the web filtering log below. One with computer one with username but both auth="2" please let me know if you can see anything. Also i have found out that every different day another users facing this problem.

2019:02:27-10:13:36 trdcdysphs-2 httpproxy[49836]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="10.74.32.30" dstip="" user="TRHENDEPC003$" group="" ad_domain="DYDODRINCO" statuscode="403" cached="0" profile="REF_HttProContaDmzNetwo (DYDO_AD_SSO_Profile)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="3335" request="0x9840400" url="ctldl.windowsupdate.com/.../pinrulesstl.cab referer="" error="" authtime="811" dnstime="0" cattime="149" avscantime="0" fullreqtime="1363" device="1" auth="2" ua="Microsoft-CryptoAPI/10.0" exceptions="av,sandbox,ssl,fileextension,size" category="175" reputation="trusted" categoryname="Software/Hardware" reason="category"

"STAS might work if the roaming PC is a domain member and the VPN stack is loaded during the boot process, but even that seems likely to be unreliable."

AD-SSO does work reliably in that scenario, Doug.

Taner, this is a mystery.  I can't help but think that it's the PC sending the computer name.  What if you modify LAN Settings to use the Proxy Server explicitly and use an FQDN instead of the internal numeric IP of the UTM.

Cheers - Bob

Hi Bob,

Regarding what i am facing, I have tested couple of things to name exact problem. I have found out that when i use wireless SSID through Cisco ISE computer$ comes in as user="TRCAMDYPC045$" but when i use another SSID with no cisco ISE on, blank USER="" information comes. Also i have checked the direct cable everything is working fine with cable. So i believe that i am very close to the end. 

Also i have checked that with proxy settings push through GPO or Sophos Agent works fine in all cases.

Thanks,