This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I get two profiles to work in conjunction with each other?

I have two web filter policies (both set up by Sophos support). They are not interacting with each other. Here is my setup:

Profile One

  • Operation Mode: Transparent
  • Default Authentication: AD SSO
  • Policies=three starting with most restrictive
  • "Block access on authentication failure" is unchecked

Profile Two

  • Operation Mode: Transparent
  • Default Authentication: None
  • Policies=single policy (most restrictive policy listed in profile one)
  • "Block access on authentication failure" is unchecked

If I leave the profiles as listed above, unauthenticated users (such as my smartphone or guests) get blocked. I can't even open Google.com. If I invert the profiles, everyone is filtered by the same base policy and the SSO policies don't take effect.

Is there anyway to get these policies to work on an "if-then" relationship? Specifically, I need to use SSO unless the user is not part of my AD to which a default existing policy should be applied. No matter what I do (again, these were set up by Sophos support) I can't get this to work. 

TIA.



This thread was automatically locked due to age.
Parents
  • Hi Mark,

    Greetings.

    You cannot use two Web Protection profile in conjunction. Firewall will always prioritize the profile in TOP-BOTTOM approach. Hence, the profile placed on TOP will be applied to the configured "Allowed Networks".

    I think you are trying to achieve a setup where a group of users on AD, has to authenticate through UTM and has limited access, alongside the user which is not a part of AD, should pass through without authentication, again with limited access ?

    This is not feasible if you are configuring similar Allowed Network in both the profile.

    You must either define a separate network for non AD users or Define a particular range of IP address out of DHCP Range, which can be statically defined on devices for internet access without Authentication.

    The configuration will be, set of allowed IP address which needs Authentication in profile 1. Next, configure set of IP address with None Authentication selected in profile 2.

     

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Sachin,

    Can you setup multiple profiles on the same network, all in standard mode, all checking user authentication via AD SSO. 

    I want to create a Group in the group definition based on the AD group Domain Users, lets say "Users" and another based on the AD Group Domain Admins, Say "Admins".

    I want to create a Web Filter Profile, standard mode, authentication active directory SSO, all internal networks allowed. A policy "general access" with a few categories allowed which is attached to the web filter profile. Also linked the policy to the Group Users

    Same for the Domain admin, same mode, same auth, same network, policy "full access", very few restrictions, linked to Admins group.

    This should work?

Reply
  • Sachin,

    Can you setup multiple profiles on the same network, all in standard mode, all checking user authentication via AD SSO. 

    I want to create a Group in the group definition based on the AD group Domain Users, lets say "Users" and another based on the AD Group Domain Admins, Say "Admins".

    I want to create a Web Filter Profile, standard mode, authentication active directory SSO, all internal networks allowed. A policy "general access" with a few categories allowed which is attached to the web filter profile. Also linked the policy to the Group Users

    Same for the Domain admin, same mode, same auth, same network, policy "full access", very few restrictions, linked to Admins group.

    This should work?

Children
  • Hi, and welcome to the UTM Community!

    No, it doesn't work like you've imagined.  You want a single Web Filtering Profile in AD-SSO with a different Policy for each group.

    Also, in addition to reading the KnowledgeBase article that I suggested above, see my comment in that post about using a Default Profile in Transparent.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    Thanks for the reply, Am I glad you are addicted to your iPhone :)

    I have created a single profile with multiple policies and it works a treat. I certainly will look at the default profile too.

    Cheers