This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9.3 transparent proxy + AD SSO

Hello,

I'm trying to switch from proxy standard mode to transparent mode. Currenty use the standard mode + AD SSO for authentication and it works without any problem for over a year now. As mobile devices come into play more and more, I would like to make the configuration more comfortabel.

As soon as I switch to transparent mode I loose the user information and only the IP is shown in reports and logs. When I switch back then everything works fine again.

2016:01:27-12:56:41 fw-d00 httpproxy[11781]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.0.1.40" dstip="5.153.231.4" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="454" request="0xe1ab9000" url="www.debian.org/.../planet.png" referer="http://www.debian.org/" error="" authtime="0" dnstime="111" cattime="26367" avscantime="499" fullreqtime="74258" device="1" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko" exceptions="" category="175" reputation="trusted" categoryname="Software/Hardware" content-type="image/png"


Any hint what's missing here?


thx,

Daniel



This thread was automatically locked due to age.
  • Hi, Daniel,

    Rather than switching everything over to Transparent, make a new Web Filtering Profile with 'Enable device-specific authentication' if necessary.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Why should this be a better solution?

    BYOD is everywhere and I need to set user based rules.

    I want to get rid of configuration tasks for proxy + AD user credentials in for example Ipads, how can a new profile help me to do this without loosing user information for web access.
  • From the manual: "Um die Authentifizierungsmethode für bestimmte Geräte zu konfigurieren, aktivieren Sie das Auswahlkästchen Gerätespezifische Authentifizierung aktivieren. Anschließend können Sie auf das grüne Plussymbol klicken und Gerätetypen sowie die Authentifizierungsmethode auswählen."

    Refer to https://community.sophos.com/kb/en-US/120345 which is only available in English but that seems to work well for you.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey BAlfson,

    this is not a solution. He wrotes, if he changes from standard to transparent mode, there are no user and domain traced/authenticated. we have this issue too. on standard proxy mode, the ad-sso works fine. but if we change it to transparent mode, the authentication window from windows shows up. any idea, why?


    Sophos Platinum Partner 
    Sophos Certified Architect
    (Ceritfied UTM Architect / Certified XG Architect)

  • Check the Microsoft KnowledgeBase and boards to see if there's a way to get the Windows server to correctly answer an NTLMv1 auth request.  I bet you need to enable that in the server.  That's just a guess.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Balfson,

    thanks for your guess. I solved the problem myself. the solution was to set dns name (fqdn and short) into intranet zone to authenticate with username/password. but thanks, good to know the ntlmv1 hint


    Sophos Platinum Partner 
    Sophos Certified Architect
    (Ceritfied UTM Architect / Certified XG Architect)

  • On the command line:

    cc get http adsso_redirect_use_hostname

    If set to 1 it should use the UTM hostname when doing AD SSO and IE/FF will automatically assume it is intranet and safe.  Your client needs to be able to resolve the bare UTM name.

    If set to 0 it will use the UTM FQDN and IE/FF needs the extra configuration to allow it to authenticate without a prompt.