Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 3482 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wireless Setup (using Web Profile / Transparent / AD SSO)

StephenHill

We have configured Wireless to run as a Web Filter Profile using Transparent and AD SSO) and are just wondering if the following is plausible, and if so, how we do this:

 

Option #1 – HTTP and HTTPS will be destination NAT to the Sophos proxy

 

Source                                 Destination         Service                 Action

BYOD subnet                     Any                        HTTP/HTTPS       Destination NAT to Sophos IP

 

 

1.       Will this configuration work for HTTP and HTTPS

 

2.       Will HTTPS be successfully proxied. Not inspected but forwarded successfully to destination.

 

3.       Will transparent mode work

 

4.       Will Active Directory authentication work

 

5.       What configuration needs to be applied to achieve this

 

--

Option #2 – HTTP and HTTPS policy based routed to Sophos proxy

 

Source                                 Destination         Service                 Action

BYOD subnet                    Any                        HTTP/HTTPS       Next hop IP Sophos proxy

 

 

1.       Will this configuration work for HTTP and HTTPS

 

2.       Will HTTPS be successfully proxied

 

3.       Will transparent mode work

 

4.       Will Active Directory authentication work

 

5.       What configuration needs to be applied to achieve this

 



This thread was automatically locked due to age.
Parents
  • 0

    Yes, you should be able to  do AD-SSO Transparent for a given subnet.  Simce we don't know your topology, it's hard to know if you need NAT or a route or what might be missing in your configuration.  Also, please insert a picture of your Profile for the BYOD subnet and the Policy used to assign a Filter Action.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    We have wireless working, however we need to change it, (as we currently have it routed through our test switch, we cant directly route it through our Production Swtich as the configuration for the PEAP-MSCHAPv2 device and our Production switch are in a different location),  therefore we were wondering  if there is a way we can get the destination NAT to work as this can traverse layer 3 hops easily as it changes the destination IP and normal routing will take care of it.

    Negative is that destination is NATted and we are not sure if it will work. Not sure how it will behave with HTTP and HTTPS. Hence the questions above.

Reply
  • 0 in reply to BAlfson

    We have wireless working, however we need to change it, (as we currently have it routed through our test switch, we cant directly route it through our Production Swtich as the configuration for the PEAP-MSCHAPv2 device and our Production switch are in a different location),  therefore we were wondering  if there is a way we can get the destination NAT to work as this can traverse layer 3 hops easily as it changes the destination IP and normal routing will take care of it.

    Negative is that destination is NATted and we are not sure if it will work. Not sure how it will behave with HTTP and HTTPS. Hence the questions above.

Children
  • 0 in reply to StephenHill

    We really do need to know your network topology.  We can't tell if the UTM is at the edge speaking to one or more routers in your LANs or if it is an internal device communication to the Internet via a router on the edge.  A simple stick diagram with IPs would suffice.

    Also, I get the impression that you're trying to solve a problem using a metaphor that's "foreign" to the UTM.  Please share a simple statement of what you want to accomplish instead of your solutions (which may be perfect, but we can't know).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML