Hello, forum! Sorry that my inaugural post is a technical query rather than a greeting... Recently moved to a UTM9 appliance in work and am migrating across from a Websense filter to the built-in rule sets. There's an issue that I can't get my head around in relation to filtering policies not applying to AD users. I'll try to summarise as best I can. UTM is set up as a transparent proxy with AD SSO. Groups used for filtering linked to backend AD groups (final CN doesn't have spaces in any of the groups) Dave who has a named account on the UTM as he's an admin is a member of the AllAccess AD group TestDave isn't named on the UTM userlist, but is a member of AllowSocialMedia AD group as he intends to fluff about on FB from time to time In the UTM groups, an AD Users group exists for all Active Directory authenticated users, as well as AllAccess and AllowSocialMedia backend AD linked groups Authentication servers have been added and a test for each user shows they're both members of their respective groups (as well as the global AD Users group) Policies set up to allow AllAccess everywhere, AllowSocialMedia to FB and YT and fluff around, with a Default User policy which curtails unnecessary fluffing about (with the base policy of block everywhere), all ordered correctly and applied to the specific groups Policy Helpdesk lookup for users Dave and TestDave show that the correct policy is being applied to each Dave browses away fine, with logs showing AllAccess policy being applied TestDave is upset that he can't fluff about on FB Web filtering log shows that the UTM applied the Default User (i.e. behave yourself) policy to TestDave Are there any thoughts which would save TestDave from being upset and get back to his (corporate-sanctioned) fluffery, or indeed as to why Dave can happily work away with the correct policy applied? (For info - If I move Dave into a more restricted linked AD group as opposed to the AllAccess one, the relevant policy reports as being applied correctly, but browsing doesn't change...)

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web filters/policies report as expected but don't apply

Hello, forum!

Sorry that my inaugural post is a technical query rather than a greeting...

Recently moved to a UTM9 appliance in work and am migrating across from a Websense filter to the built-in rule sets. There's an issue that I can't get my head around in relation to filtering policies not applying to AD users.

I'll try to summarise as best I can.

UTM is set up as a transparent proxy with AD SSO.
Groups used for filtering linked to backend AD groups (final CN doesn't have spaces in any of the groups)
Dave who has a named account on the UTM as he's an admin is a member of the AllAccess AD group
TestDave isn't named on the UTM userlist, but is a member of AllowSocialMedia AD group as he intends to fluff about on FB from time to time
In the UTM groups, an AD Users group exists for all Active Directory authenticated users, as well as AllAccess and AllowSocialMedia backend AD linked groups
Authentication servers have been added and a test for each user shows they're both members of their respective groups (as well as the global AD Users group)
Policies set up to allow AllAccess everywhere, AllowSocialMedia to FB and YT and fluff around, with a Default User policy which curtails unnecessary fluffing about (with the base policy of block everywhere), all ordered correctly and applied to the specific groups
Policy Helpdesk lookup for users Dave and TestDave show that the correct policy is being applied to each
Dave browses away fine, with logs showing AllAccess policy being applied
TestDave is upset that he can't fluff about on FB
Web filtering log shows that the UTM applied the Default User (i.e. behave yourself) policy to TestDave

Are there any thoughts which would save TestDave from being upset and get back to his (corporate-sanctioned) fluffery, or indeed as to why Dave can happily work away with the correct policy applied?

(For info - If I move Dave into a more restricted linked AD group as opposed to the AllAccess one, the relevant policy reports as being applied correctly, but browsing doesn't change...)

This thread was automatically locked due to age.

0 BigDavey over 9 years ago

OK, providing an update for my own reference as much as anything else. The issue is now resolved after removing and re-adding the UTM to the domain.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 9 years ago

Hi, BD, and welcome to the User BB!

If you want to learn how to have gleamed the need for that from the logs, show us a line from your Web Filtering log where testdave was blocked and shouldn't have been and one where Dave was allowed but shouldn't have been.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel