Sophos UTM9 Web filtering picks computer$ account for some users

There are several ways of doing authentication, one of the common ones is NTLM.  IIRC NTLM will authenticate and cache that information for about 5 minutes before trying to authenticate again.  If the web request that is trying to authenticate comes from a browser or application running in user space, it will authenticate with that user.  If the request comes from something running as a system or computer account, it will authenticate like that.

It will continue to use the computer account for five minutes, until it authenticates again.

Off the top of my head, I do not recall what the solution is on the UTM.

Hi Michael,

Thank you very much for you answer.

If i make them come through proxy as you say because of the packages comes through browser it fixes the problem. But I have some firewall rules which determines, which user to go to which servers. As i created groups and all of my users connects through this rules. As far as i understand it will use computer account as well to try to connect fileserver. (All my servers are in DMZ and all group members connect through allowed ports) So this will be another problem if i use proxy for the web browsing.

I am using STAS to send data to firewall on my DC but still some computers use computer$ account and in 5 or 10 mins doesnt change. 

Do you believe there is a solution for this or is there any suggestion you can make me that i can follow?

Again thank you. 

Full disclosure:  I have a love-hate relationship with decrypt-and-scan.   Currently, the love has gone cold so I am using it only on myself.   I may write a full post on the subject someday.  However, whenever I have used it, I used the unqualified "decrypt and scan" option.

To solve your problem, you will need to look harder at the logs.   But I fully expect that:

• the web traffic is occurring when the user is logged out, or
• the traffic is not meeting the criteria on your screen shots.  Possibilities include:
  • the Filter Profile Allowed Networks object is not resolving correctly match your source IP  (in particular, I think there are problem with Network Range objects (partial subnets),
  • The source IP does not match the Filter Profile allowed networks list at all,
  • the site is uncategorized so it does not match your category list, or
  • an exception (such as Windows update) is bypassing decrypt-and-scan.

To be honestly I thought at the beginning the same thing and checked sophos logs and network logs every item sees username but only sophos picks the computer$ account information. The user connects with Cisco ISE radius and logon to domain with username and password i can see he is logged-in in STAS as well. but when trying to go to internet computer$ account coming out somehow. From the same location %99 is connected with no problem at all.

* Source IP is in the list already.

* Site does not matter because what ever you try to do get the same output. Only when i added proxy settings on explorer helps

* Windows Update goes through WSUS or there is no any other service tries to go out except outlook for office 365 and skype for business. But these are all same for my all other users. I have 350 Users trying to use internet at the same time and only %5 is facing this problem.

Regards,

I am suddenly confused and out of my element.  I thought we were dealing with AD SSO.   If you are talking Remote access using Radius, followed by web filtering using STAS, your configuration is very different from any that I have used.    

However, the general outlines are similar:   STAS is used to infer the username from the IP address.   If it is not capturing the username, then the IP-to-user mapping is not active at thr moment of that web access.

Overall, it is time to call Support for help with debugging.

Tanner,

Go to Current Activities, Live Users.

If you see entries there with client type NTLM, that means that STAS has failed.  Then if you see $computername that means that NTLM has failed to use the current user and is using the computername instead.

The first order of business is to figure out why STAS is failing.  The fact that it is falling back to using NTLM for AD SSO is a symptom of an STAS problem.  There is no purpose is trying to debug your AD SSO using $computername when it should ideally not be hitting that codepath at all.

Some things to consider:

If you go to Administration, Device Access you can turn on NTLM (AD SSO).  This will make the users hit Captive Portal rather NTLM.

If you go to your firewall rules and uncheck "Show captive portal to unknown users" this will prevent the rule from matching when the user is not known and using NTLM/Captive Portal to attempt to figure out the user.

However changing both of those will just change the symptom of your underlying problem - STAS failure.

EDIT - Sorry the above instructions are for XG not UTM.  However the underlying issue is the same.

Hi Michael,

I have attached the screenshots. I can see all log in users i have no problem with this actually i can see regarding user here as well i mean his computer tries to connect with computer$ account as i can see in the block action in logs but on stas i can see he is logged in. I couldnt get the tabs and menus that you mention. If you can guide me i can check again. 

To expand on Michael Dun's post, the web filter logs have an auth="value" clause which can help you confirm which authentication method is being used.   

This is the list that I assembled from available sources awhile ago.   I do not know what code is used by STAS.

0 No authentication
1 Basic
2 AD SSO
3 eDirector SSO
4 Browser
5 OpenDirectory
6 Agent

I am still intrigued by your reference to RADIUS.   STAS is intended for internal machines where the user logs into Active Directory.   So STAS should work if a remote user uses RDP or VNC to log onto his PC at work.   I would not expect it to work if a roaming laptop connects using a VPN client with full tunnelling, and then attempts to web surf on the internet.   

STAS might work if the roaming PC is a domain member and the VPN stack is loaded during the boot process, but even that seems likely to be unreliable.

Taner Demirtas said:

I have attached the screenshots. I can see all log in users i have no problem with this actually i can see regarding user here as well i mean his computer tries to connect with computer$ account as i can see in the block action in logs but on stas i can see he is logged in. I couldnt get the tabs and menus that you mention. If you can guide me i can check again.

Sorry, I with thinking XG not UTM.

In every Web Filter Profile that you are using, what do you have set for Authentication?

I think you should have Agent.  See https://community.sophos.com/kb/en-us/126939

In Authentication Services, Single Sign On, you are likely joined to a domain.  Remove the username and password and hit Apply, this will unjoin you.  That will turn off NTLM.

However this is getting out of my area of knowledge.  Hopefully someone else can help you better.

Actually You can see the web filtering log below. One with computer one with username but both auth="2" please let me know if you can see anything. Also i have found out that every different day another users facing this problem.

2019:02:27-10:13:36 trdcdysphs-2 httpproxy[49836]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="10.74.32.30" dstip="" user="TRHENDEPC003$" group="" ad_domain="DYDODRINCO" statuscode="403" cached="0" profile="REF_HttProContaDmzNetwo (DYDO_AD_SSO_Profile)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="3335" request="0x9840400" url="ctldl.windowsupdate.com/.../pinrulesstl.cab referer="" error="" authtime="811" dnstime="0" cattime="149" avscantime="0" fullreqtime="1363" device="1" auth="2" ua="Microsoft-CryptoAPI/10.0" exceptions="av,sandbox,ssl,fileextension,size" category="175" reputation="trusted" categoryname="Software/Hardware" reason="category"

"STAS might work if the roaming PC is a domain member and the VPN stack is loaded during the boot process, but even that seems likely to be unreliable."

AD-SSO does work reliably in that scenario, Doug.

Taner, this is a mystery.  I can't help but think that it's the PC sending the computer name.  What if you modify LAN Settings to use the Proxy Server explicitly and use an FQDN instead of the internal numeric IP of the UTM.

Cheers - Bob

Hi Bob,

Regarding what i am facing, I have tested couple of things to name exact problem. I have found out that when i use wireless SSID through Cisco ISE computer$ comes in as user="TRCAMDYPC045$" but when i use another SSID with no cisco ISE on, blank USER="" information comes. Also i have checked the direct cable everything is working fine with cable. So i believe that i am very close to the end. 

Also i have checked that with proxy settings push through GPO or Sophos Agent works fine in all cases.

Thanks,

Hi Bob,

Regarding what i am facing, I have tested couple of things to name exact problem. I have found out that when i use wireless SSID through Cisco ISE computer$ comes in as user="TRCAMDYPC045$" but when i use another SSID with no cisco ISE on, blank USER="" information comes. Also i have checked the direct cable everything is working fine with cable. So i believe that i am very close to the end. 

Also i have checked that with proxy settings push through GPO or Sophos Agent works fine in all cases.

Thanks,