This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wireless Setup (using Web Profile / Transparent / AD SSO)

We have configured Wireless to run as a Web Filter Profile using Transparent and AD SSO) and are just wondering if the following is plausible, and if so, how we do this:

Option #1 – HTTP and HTTPS will be destination NAT to the Sophos proxy

Source Destination Service Action

BYOD subnet Any HTTP/HTTPS Destination NAT to Sophos IP

1. Will this configuration work for HTTP and HTTPS

2. Will HTTPS be successfully proxied. Not inspected but forwarded successfully to destination.

3. Will transparent mode work

4. Will Active Directory authentication work

5. What configuration needs to be applied to achieve this

Option #2 – HTTP and HTTPS policy based routed to Sophos proxy

Source Destination Service Action

BYOD subnet Any HTTP/HTTPS Next hop IP Sophos proxy

1. Will this configuration work for HTTP and HTTPS

2. Will HTTPS be successfully proxied

3. Will transparent mode work

4. Will Active Directory authentication work

5. What configuration needs to be applied to achieve this

This thread was automatically locked due to age.

Parents

0 BAlfson over 8 years ago

Yes, you should be able to do AD-SSO Transparent for a given subnet. Simce we don't know your topology, it's hard to know if you need NAT or a route or what might be missing in your configuration. Also, please insert a picture of your Profile for the BYOD subnet and the Policy used to assign a Filter Action.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 StephenHill over 8 years ago in reply to BAlfson

We have wireless working, however we need to change it, (as we currently have it routed through our test switch, we cant directly route it through our Production Swtich as the configuration for the PEAP-MSCHAPv2 device and our Production switch are in a different location), therefore we were wondering if there is a way we can get the destination NAT to work as this can traverse layer 3 hops easily as it changes the destination IP and normal routing will take care of it.

Negative is that destination is NATted and we are not sure if it will work. Not sure how it will behave with HTTP and HTTPS. Hence the questions above.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 8 years ago in reply to StephenHill

We really do need to know your network topology. We can't tell if the UTM is at the edge speaking to one or more routers in your LANs or if it is an internal device communication to the Internet via a router on the edge. A simple stick diagram with IPs would suffice.

Also, I get the impression that you're trying to solve a problem using a metaphor that's "foreign" to the UTM. Please share a simple statement of what you want to accomplish instead of your solutions (which may be perfect, but we can't know).

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 8 years ago in reply to StephenHill

We really do need to know your network topology. We can't tell if the UTM is at the edge speaking to one or more routers in your LANs or if it is an internal device communication to the Internet via a router on the edge. A simple stick diagram with IPs would suffice.

Also, I get the impression that you're trying to solve a problem using a metaphor that's "foreign" to the UTM. Please share a simple statement of what you want to accomplish instead of your solutions (which may be perfect, but we can't know).

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data