Sophos UTM9 Web filtering picks computer$ account for some users

To be honestly I thought at the beginning the same thing and checked sophos logs and network logs every item sees username but only sophos picks the computer$ account information. The user connects with Cisco ISE radius and logon to domain with username and password i can see he is logged-in in STAS as well. but when trying to go to internet computer$ account coming out somehow. From the same location %99 is connected with no problem at all.

* Source IP is in the list already.

* Site does not matter because what ever you try to do get the same output. Only when i added proxy settings on explorer helps

* Windows Update goes through WSUS or there is no any other service tries to go out except outlook for office 365 and skype for business. But these are all same for my all other users. I have 350 Users trying to use internet at the same time and only %5 is facing this problem.

Regards,

I am suddenly confused and out of my element.  I thought we were dealing with AD SSO.   If you are talking Remote access using Radius, followed by web filtering using STAS, your configuration is very different from any that I have used.    

However, the general outlines are similar:   STAS is used to infer the username from the IP address.   If it is not capturing the username, then the IP-to-user mapping is not active at thr moment of that web access.

Overall, it is time to call Support for help with debugging.

Tanner,

Go to Current Activities, Live Users.

If you see entries there with client type NTLM, that means that STAS has failed.  Then if you see $computername that means that NTLM has failed to use the current user and is using the computername instead.

The first order of business is to figure out why STAS is failing.  The fact that it is falling back to using NTLM for AD SSO is a symptom of an STAS problem.  There is no purpose is trying to debug your AD SSO using $computername when it should ideally not be hitting that codepath at all.

Some things to consider:

If you go to Administration, Device Access you can turn on NTLM (AD SSO).  This will make the users hit Captive Portal rather NTLM.

If you go to your firewall rules and uncheck "Show captive portal to unknown users" this will prevent the rule from matching when the user is not known and using NTLM/Captive Portal to attempt to figure out the user.

However changing both of those will just change the symptom of your underlying problem - STAS failure.

EDIT - Sorry the above instructions are for XG not UTM.  However the underlying issue is the same.

Hi Michael,

I have attached the screenshots. I can see all log in users i have no problem with this actually i can see regarding user here as well i mean his computer tries to connect with computer$ account as i can see in the block action in logs but on stas i can see he is logged in. I couldnt get the tabs and menus that you mention. If you can guide me i can check again. 

To expand on Michael Dun's post, the web filter logs have an auth="value" clause which can help you confirm which authentication method is being used.   

This is the list that I assembled from available sources awhile ago.   I do not know what code is used by STAS.

0 No authentication
1 Basic
2 AD SSO
3 eDirector SSO
4 Browser
5 OpenDirectory
6 Agent

I am still intrigued by your reference to RADIUS.   STAS is intended for internal machines where the user logs into Active Directory.   So STAS should work if a remote user uses RDP or VNC to log onto his PC at work.   I would not expect it to work if a roaming laptop connects using a VPN client with full tunnelling, and then attempts to web surf on the internet.   

STAS might work if the roaming PC is a domain member and the VPN stack is loaded during the boot process, but even that seems likely to be unreliable.

Taner Demirtas said:

I have attached the screenshots. I can see all log in users i have no problem with this actually i can see regarding user here as well i mean his computer tries to connect with computer$ account as i can see in the block action in logs but on stas i can see he is logged in. I couldnt get the tabs and menus that you mention. If you can guide me i can check again.

Sorry, I with thinking XG not UTM.

In every Web Filter Profile that you are using, what do you have set for Authentication?

I think you should have Agent.  See https://community.sophos.com/kb/en-us/126939

In Authentication Services, Single Sign On, you are likely joined to a domain.  Remove the username and password and hit Apply, this will unjoin you.  That will turn off NTLM.

However this is getting out of my area of knowledge.  Hopefully someone else can help you better.

Actually You can see the web filtering log below. One with computer one with username but both auth="2" please let me know if you can see anything. Also i have found out that every different day another users facing this problem.

2019:02:27-10:13:36 trdcdysphs-2 httpproxy[49836]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="10.74.32.30" dstip="" user="TRHENDEPC003$" group="" ad_domain="DYDODRINCO" statuscode="403" cached="0" profile="REF_HttProContaDmzNetwo (DYDO_AD_SSO_Profile)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="3335" request="0x9840400" url="ctldl.windowsupdate.com/.../pinrulesstl.cab referer="" error="" authtime="811" dnstime="0" cattime="149" avscantime="0" fullreqtime="1363" device="1" auth="2" ua="Microsoft-CryptoAPI/10.0" exceptions="av,sandbox,ssl,fileextension,size" category="175" reputation="trusted" categoryname="Software/Hardware" reason="category"

"STAS might work if the roaming PC is a domain member and the VPN stack is loaded during the boot process, but even that seems likely to be unreliable."

AD-SSO does work reliably in that scenario, Doug.

Taner, this is a mystery.  I can't help but think that it's the PC sending the computer name.  What if you modify LAN Settings to use the Proxy Server explicitly and use an FQDN instead of the internal numeric IP of the UTM.

Cheers - Bob

Hi Bob,

Regarding what i am facing, I have tested couple of things to name exact problem. I have found out that when i use wireless SSID through Cisco ISE computer$ comes in as user="TRCAMDYPC045$" but when i use another SSID with no cisco ISE on, blank USER="" information comes. Also i have checked the direct cable everything is working fine with cable. So i believe that i am very close to the end. 

Also i have checked that with proxy settings push through GPO or Sophos Agent works fine in all cases.

Thanks,

Hi Michael,

After all that deeply work on active directory and sophos plus clients feedback, i have found that services cause the problem so i made deep search in active directory if i can find anything related to this. I have found the solution under Computer Configuration\policies\windows settings\security settings\local policies\security options\

Below settings must be disabled to use only username to authenticate.

Thank you very much for your time and priceless guide.

Regards,