This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 Webfiltering ADSSO with Basic Authentication??

We are currently running on 9.403-4 release and using Webfiltering with ADSSO and Transparent mode and also have "block on authentication failure" enabled.  We have problems with users all the time calling and saying that the sites they go to daily are being blocked and they are all HTTPS sites.  So they are not authenticated when they open a web browser.  When they initially go to a HTTP site, they are authenticated and can go anywhere allowed.  I know there are limitations to operating this way as I have read in KB 120791.  I want to fix this but don't want to lose authentication.  What type of browser configuration do I have to do to use ADSSO with basic user authentication??  Is that a Windows group policy add or is that a browser file push with GPO?? We have used Websense in the past with the web proxy settings configured in the browser but I wasn't sure if we had to do the same thing if we went with the Basic authentication.  We don't want to have to install the agent on all machines, we just want a simple solution that works with authentication.  

Thanks. 



This thread was automatically locked due to age.
Parents Reply Children
  • Ok.  I had to tweak a couple of things on the DNS best practices part but everything else is setup according to the information that you gave.  And I had already read the KBA that you mentioned.  This problem does not happen all of the time and it will only happen to a few people.  Also, it happens every time the UTM is rebooted, such as firmware updates.  

  • SCH, are you certain that you're chasing the right problem?  Can you show us a line where a user was auth'd and then one a moment later from the same IP where the access was blocked because the user failed auth?

    Cheers - Bob

    PS That KB article was plagiarized from a post that I maintain here regularly, DNS best practice, as you can see from the Change log at the bottom.  I don't know if that KnowledgeBase article is regularly updated.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Actually the problem hasn't happened in about a week, but if I get one soon I will post the log here for that user.  Basically, when the user is blocked on everything the 'username' and 'Domain' will be blank with " " showing that the user has not been authenticated yet.  We have the STAS implemented as well which seemed to help out for a while but the problem comes back every once in awhile.  

    Also, the article mentioned in the first post here https://www.sophos.com/en-us/support/knowledgebase/120283.aspx says on the first setting for allowed networks to enter your internal DNS servers if your clients use an internal DNS server.  Is this correct?  The way it is setup now has one of our subnets and our wireless network in it.  Currently our clients DO use an internal DNS running AD.  The link you provided above does not state that.  Just wondering the correct way to have that setup.