This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I get two profiles to work in conjunction with each other?

I have two web filter policies (both set up by Sophos support). They are not interacting with each other. Here is my setup:

Profile One

  • Operation Mode: Transparent
  • Default Authentication: AD SSO
  • Policies=three starting with most restrictive
  • "Block access on authentication failure" is unchecked

Profile Two

  • Operation Mode: Transparent
  • Default Authentication: None
  • Policies=single policy (most restrictive policy listed in profile one)
  • "Block access on authentication failure" is unchecked

If I leave the profiles as listed above, unauthenticated users (such as my smartphone or guests) get blocked. I can't even open Google.com. If I invert the profiles, everyone is filtered by the same base policy and the SSO policies don't take effect.

Is there anyway to get these policies to work on an "if-then" relationship? Specifically, I need to use SSO unless the user is not part of my AD to which a default existing policy should be applied. No matter what I do (again, these were set up by Sophos support) I can't get this to work. 

TIA.



This thread was automatically locked due to age.
Parents
  • There is a bit of a trick you can use, Mark.  I normally set up 'Web Filtering' for "Internal (Network)" in Transparent mode with more restrictions.  Then, in 'Web Filtering Profiles', I configure a Profile in AD-SSO Standard mode for "Internal (Network)" with fewer restrictions.

    In this way, if the browser is configured to send requests to the Proxy, the requests will be handled by the Profile.  If someone sets the browser to use the Proxy in a machine that is not a member of the domain or the user is not logged in to the domain, the request will fail authentication and you can apply the same restrictive filter used in 'Web Filtering'.

    If the browser does not send requests to the Proxy, they will not be seen by the Profile, but will be intercepted transparently by the default Profile.

    You might want to refer to my KnowledgeBase article: Configuring HTTP/HTTPS proxy access with AD SSO with a Sophos UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • There is a bit of a trick you can use, Mark.  I normally set up 'Web Filtering' for "Internal (Network)" in Transparent mode with more restrictions.  Then, in 'Web Filtering Profiles', I configure a Profile in AD-SSO Standard mode for "Internal (Network)" with fewer restrictions.

    In this way, if the browser is configured to send requests to the Proxy, the requests will be handled by the Profile.  If someone sets the browser to use the Proxy in a machine that is not a member of the domain or the user is not logged in to the domain, the request will fail authentication and you can apply the same restrictive filter used in 'Web Filtering'.

    If the browser does not send requests to the Proxy, they will not be seen by the Profile, but will be intercepted transparently by the default Profile.

    You might want to refer to my KnowledgeBase article: Configuring HTTP/HTTPS proxy access with AD SSO with a Sophos UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data