AD SSO web filtering standard mode and local domain

Hi, Brandon, and welcome to the UTM Community!

I don't think it's possible for the Proxy to properly assign Policies based on Backend Groups unless authentication works.  You aren't seeing anything in the Web Filtering file, so something is not set correctly.  I can think of one possibility...

Your Profile in AD-SSO Standard mode comes after your Profile in Transparent mode.  In fact, an access from a client set to use an explicit proxy is not disqualified from a Profile in Transparent mode.  A profile for a group of a few IPs that are in a subnet must be placed above the Profile for the whole subnet.  Likewise, a Policy for a group of names must come before the Policy for "Everyone."

If that's not the problem, please insert pictures of the 'Global' and 'Policies' tab in 'Web Filtering''  Also, pictures of the 'Web Filter Profile' and 'Policies' tabs in your Profile in 'Web Filter Profiles'.

Cheers - Bob

PS Thanks for the compliment, but I only help for free in the Community where many people can benefit. [;)]

Bob

Thanks.  I had noticed the profiles work like an availability group.  RTFM.  ><   Thanks for breaking that down.  Got a couple days off for Thanksgiving.  I'll get this straightened out.  That being said, I have one client that I firewall off.  It has no need to be on the net.  I still set it up on Standard/Proxied.  Should I:

1. Set default profile to "block all" on that client.

2. Set less restrictive profile for the rest of proxied clients.

3. Set transparent profile for everyone else.

If that's the correct order, I'll get that in place, and proceed from there. 

-Brandon

Bob

Thanks.  I had noticed the profiles work like an availability group.  RTFM.  ><   Thanks for breaking that down.  Got a couple days off for Thanksgiving.  I'll get this straightened out.  That being said, I have one client that I firewall off.  It has no need to be on the net.  I still set it up on Standard/Proxied.  Should I:

1. Set default profile to "block all" on that client.

2. Set less restrictive profile for the rest of proxied clients.

3. Set transparent profile for everyone else.

If that's the correct order, I'll get that in place, and proceed from there. 

-Brandon

I normally recommend putting the Default Profile in Transparent mode as it's the last one considered, but I think you have it now.

Cheers - Bob

PS RTFM = facepalm [:D]

Bob

Oh!  Ok thats what I have set up.  

Webfiltering > Default Webfilter Profile / Internal Network / Transparent

Webfilter Profiles > 1. Studio / Standard / Decrypt and Scan / Block All

Webfilter Profiles > 2. Proxy Group / Standard w AD SSO / Decrypt and Scan

         - within that there is a Webfiltering Policy to a backend AD group

Here are some screenies.  With this configuration, and "block access on auth fail" checked, I can see usernames in the log on some entries, and I am constantly presented with a login prompt on browsers.

"I can see usernames in the log on some entries, and I am constantly presented with a login prompt on browsers."

Which names appear?  Which accesses show no name?  For which accesses is Browser Authentication required?  Please show one line each from the Web Filtering log for the first two and the relevant lines for a single, unwanted authentication prompt.

How does your configuration differ from Configuring HTTP/S proxy access with AD SSO?

Cheers - Bob

Bob

Within Webfilter Profiles > Proxy Group is a Policy tied to a specific AD group.  

This is a more restrictive group.  When i add / remove a member in the AD group, and sync the UTM, the changes follow, as do policy helpdesk report.  

Am I correct in thinking that users that do not fall in this group / policy, then are filtered by the base policy of that profile?  Those users are not as restricted.

I used https://community.sophos.com/kb/zh-cn/115659 when I set this up.  The only thing different, is I use the IP of the UTM for the proxy server settings in IE.

I added that IP as an intranet site, and set "authentication login with username and password" in the intranet zone.

I dont see any entries in the client authentication logs.  Just WebAdmin, User Portal, and Authentication Server test boxes.

I can send you webfiltering logs.  Not sure if posting that here is ill advised.  Let me know.

And please, if this is not going to work in this kind of environment, let me know.  I've found ways to pretty much get the granularity I need with this.

But it would be really cool to get this working.  :)

-Brandon

Brandon PM'd me with about a dozen lines from the Web Filtering log file?  The three interesting lines from that are

2016:11:23-18:31:50 vento httpproxy[5480]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.XXX.109" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_HttProContaInterNetwo (Proxy Group)" filteraction=" ()" size="2629" request="0xe14e2400" url="https://clients4.google.com/" referer="" error="" authtime="12" dnstime="0" cattime="0" avscantime="0" fullreqtime="118" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" exceptions=""

2016:11:23-18:31:50 vento httpproxy[5480]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.XXX.109" dstip="" user="jared" group="" ad_domain="VENTO" statuscode="407" cached="0" profile="REF_HttProContaInterNetwo (Proxy Group)" filteraction=" ()" size="2629" request="0xe14e2400" url="https://clients4.google.com/" referer="" error="" authtime="51" dnstime="0" cattime="0" avscantime="0" fullreqtime="548" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" exceptions=""

2016:11:23-18:31:59 vento httpproxy[5480]: id="0066" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden application detected" action="block" method="CONNECT" srcip="192.168.XXX.104" dstip="192.243.250.84" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffTransFilte (Transparent Mode Filter)" size="3327" request="0xe1435e00" url="adobemobiledev.sc.omtrdc.net/" referer="" error="" authtime="0" dnstime="3" cattime="194" avscantime="0" fullreqtime="547254" device="0" auth="0" ua="" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" application="ADOBANAL" app-id="1107"

In the same second, "Jared" (in a VM) is not identified and then identified.  Probably an issue with NTLM.

Brandon, which access was one where you were asked for browser authentication?

Cheers - Bob

Bob

I'll throw AD SSO on and grab a better sample today.  I am prompted for credentials on every website.

Thanks again, for taking a look.

-Brandon

To add some info:  

I turned on auditing for NTLM.

Here are my settings from the local security policy on the domain controller:

And on the client PC:

Are there group policy changes to be made as well?

I dont see any challenges in the NTLM logs.

Just this:

Brandon sent me another log full of lines where there was a failure to authenticate, but where there was one successful authentication out of dozens.

First, make sure that the time difference between the UTM and the DC is a few minutes at most.  Next, if it's still not working, un-join the UTM from the domain by using an incorrect name&password combination and then re-join by using valid credentials.  I don't think these will solve your problem and that you will need to enable Kerberos on the DC and change your GPO to distribute an FQDN that points to the IP of "Internal (Address)" instead of the IP itself.

Cheers - Bob