This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trusted domains - we proxy AD SSO not pulling through group

Hi there,

We are running a UTM 9.7 and have AD SSO enabled and are using web proxy (protection).

The UTM is joined to domain A, but we wish to serve web proxy requests from domain B as well. There is a fully functional two way trusted domain & forest.

We have this exact scenario working on another UTM HA pair, so I know it works.

However, on the particular UTM HA pair in question, for domain A, it serves the requests fine, in the live log I can see user, group and domain pulling through.

When serving requests from domain B, it only seems to pull user and domain, not group.

(i.e. log looks a bit like this - user="testuser" group="" ad_domain="DOM-B")

The group exists and is part of a policy rule.

As I say, the (in theory) exact same setup works on another pair of UTMs, but not this one.

The odd part is that it used to work, because I have screenshots of the logs previously working and definitely pulling through the group, but it has stopped pulling the group

What am I missing?

Thanks

Chris



This thread was automatically locked due to age.
Parents
  • Hi Chris and welcome to the UTM Community!

    This is almost certainly in the trust relationship.  What does someone else see in comparing the two situations?

    Are you running both sets of UTMs in Transparent or Standard mode?  If Standard, please show us the PAC files used in both locations.  If you prefer, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical or just in the same subnet.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,
    Thanks for your reply, sorry for the delay, I was on leave.
    So when you say "in the trust relationship", what specifically in that do you mean?
    I can elaborate a bit further on our setup.
    So we are actually 3 orgs merging, so have 3 seperate legacy forests/domains.
    We have a 4th "new" forest/domain. There are 2 way cross forest trusts between the 4th new forest and the 3 legacy ones.
    All setup and configured the same.
    We've migrated (staged) all our users into the 4th domain, utilising sIDHistory for both users and groups.
    A user in logs on to their new account in the 4th domain and tries to access web resources via the UTM proxy - their original/same UTM they would have used on legacy domain.
    This is where we hit the issue - so the proxy live logs see the user and the domain, but no group.
    If they switch back to their legacy account it works fine.
    This same concept works if another user logs on to their new account and uses their original UTM for proxy (so this is the other HA pair I'm referring to in a different source domain).
    In the live logs in this scenario I can see user, group and domain.
    The UTM pair in question that does not behave as expected, is quite old now, like version 9.700-5 (which I think is RTM of 9.7?)
    The UTM pair that does work is newer, 9.705-3 (and I have tried on a 9.706-9 and that also works).
    So that did lead me to suspect the version is too old, but then again I had the logs showing it previously worked so that is confusing.
    This is what makes me think I'm missing something simple.

    In terms of the other questions, we don't use PAC files (yet) so it is direct to proxy via Internet Settings.
    And both UTMs are indeed in Standard mode.
    Thanks
    Chris

Reply
  • Hi Bob,
    Thanks for your reply, sorry for the delay, I was on leave.
    So when you say "in the trust relationship", what specifically in that do you mean?
    I can elaborate a bit further on our setup.
    So we are actually 3 orgs merging, so have 3 seperate legacy forests/domains.
    We have a 4th "new" forest/domain. There are 2 way cross forest trusts between the 4th new forest and the 3 legacy ones.
    All setup and configured the same.
    We've migrated (staged) all our users into the 4th domain, utilising sIDHistory for both users and groups.
    A user in logs on to their new account in the 4th domain and tries to access web resources via the UTM proxy - their original/same UTM they would have used on legacy domain.
    This is where we hit the issue - so the proxy live logs see the user and the domain, but no group.
    If they switch back to their legacy account it works fine.
    This same concept works if another user logs on to their new account and uses their original UTM for proxy (so this is the other HA pair I'm referring to in a different source domain).
    In the live logs in this scenario I can see user, group and domain.
    The UTM pair in question that does not behave as expected, is quite old now, like version 9.700-5 (which I think is RTM of 9.7?)
    The UTM pair that does work is newer, 9.705-3 (and I have tried on a 9.706-9 and that also works).
    So that did lead me to suspect the version is too old, but then again I had the logs showing it previously worked so that is confusing.
    This is what makes me think I'm missing something simple.

    In terms of the other questions, we don't use PAC files (yet) so it is direct to proxy via Internet Settings.
    And both UTMs are indeed in Standard mode.
    Thanks
    Chris

Children
  • Definitely Up2Date the pair on 9.700 before re-examining the trust relationships.

    We've had no problems with 9.707 on our AWS instance since Up2Dating it last Wednesday.  9.705 is the oldest I recommend today.  9.700 is 20 months old.  9.706 & 9.707 are especially recommended for sites using the SMTP Proxy.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA