This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD SSO web filtering standard mode and local domain

Hello all.

I've been a UTM user for about 3 years.  Never had a need to post in here, as I can usually find my answers within.  Webfiltering seems to be the hardest beast for me to tame, but I'm close.  I am a server admin, networking / firewall is not my strong point, so some of this might sound noobish.  This UTM is being used at home, not in a business setting.

I have Webfiltering enabled, with a base policy in transparent mode with no authentication, URL filtering only.  It works great.  People off the street that can connect to wifi hit this profile, and it works as intended.  Allowed network is set to internal network, so this will grab anyone that is not in the profile below.

I have a Webfiltering profile that runs in standard mode, HTTPS decrypt and scan.  The base policy here is completely unlimited, so if you are not in the about to be mentioned AD group, you get a pass.  The sub policy regulates a AD group with tighter filtering settings, and it applies to the AD group as intended.  Works absolutely perfect.  Allowed networks are set to a group of computers.  Proxy settings are deployed with a GP.  Browser authentication works perfectly, SSO does not.  I see the user in the logs, and what is being applied.

In Client Authentication > Allowed Users and Groups are my backend groups, allowed to authenticate to internal network.

In Authentication Services > Servers, my Bind DN and User tests work perfect and reflect group memberships.  My mydomain.local shows up in Single Sign-On, there is an AD object that the UTM created.  It's active, everything looks OK.

I do not have a FQDN.  From what I have read, this makes things tricky.  I have a dyn address.  If you guys tell me, yeah, thats the kicker, then this is where we stop.  

I feel like the UTM is properly configured.  I have tried a million different combinations on the client side.  Even created a dns name / host entry pointing to the Internal interface.  I figured hey, why not.  From what I understand, FQDN will use kerberos, IP will use NTLM.  I have tried all sorts of combinations using IPs, dns names, intranet site settings, trusted sites, and so on.  I feel like it is a client side thing, but I am not so sure.  I did find a MS article with a testing method for NTLM and kerberos, and it came up positive.  It was a loopback / capture test.  I never see users properly identified in the webfiltering logs.  I dont see anything in the authentication logs, and no challenges in the server security logs.

The only time it does work, is if I use my dyndns address.  But, I feel like that is a terrible idea, as it resolves to my external interface, and seems incredibly counterintuitive and un safe.

Blah, let me know what you guys think.  Can this be done without an fqdn?  Do I need to give BAlfson a VPN connection?  

A pleasure to post here.

 

-Brandon

 

 

 



This thread was automatically locked due to age.
Parents
  • Hi, Brandon, and welcome to the UTM Community!

    I don't think it's possible for the Proxy to properly assign Policies based on Backend Groups unless authentication works.  You aren't seeing anything in the Web Filtering file, so something is not set correctly.  I can think of one possibility...

    Your Profile in AD-SSO Standard mode comes after your Profile in Transparent mode.  In fact, an access from a client set to use an explicit proxy is not disqualified from a Profile in Transparent mode.  A profile for a group of a few IPs that are in a subnet must be placed above the Profile for the whole subnet.  Likewise, a Policy for a group of names must come before the Policy for "Everyone."

    If that's not the problem, please insert pictures of the 'Global' and 'Policies' tab in 'Web Filtering''  Also, pictures of the 'Web Filter Profile' and 'Policies' tabs in your Profile in 'Web Filter Profiles'.

    Cheers - Bob

    PS Thanks for the compliment, but I only help for free in the Community where many people can benefit. [;)]

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob

    Thanks.  I had noticed the profiles work like an availability group.  RTFM.  ><   Thanks for breaking that down.  Got a couple days off for Thanksgiving.  I'll get this straightened out.  That being said, I have one client that I firewall off.  It has no need to be on the net.  I still set it up on Standard/Proxied.  Should I:

    1. Set default profile to "block all" on that client.

    2. Set less restrictive profile for the rest of proxied clients.

    3. Set transparent profile for everyone else.

    If that's the correct order, I'll get that in place, and proceed from there. 

    -Brandon

  • I normally recommend putting the Default Profile in Transparent mode as it's the last one considered, but I think you have it now.

    Cheers - Bob

    PS RTFM = facepalm [:D]

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob

     

    Oh!  Ok thats what I have set up.  

    Webfiltering > Default Webfilter Profile / Internal Network / Transparent

    Webfilter Profiles > 1. Studio / Standard / Decrypt and Scan / Block All

    Webfilter Profiles > 2. Proxy Group / Standard w AD SSO / Decrypt and Scan

             - within that there is a Webfiltering Policy to a backend AD group

    Here are some screenies.  With this configuration, and "block access on auth fail" checked, I can see usernames in the log on some entries, and I am constantly presented with a login prompt on browsers.

Reply
  • Bob

     

    Oh!  Ok thats what I have set up.  

    Webfiltering > Default Webfilter Profile / Internal Network / Transparent

    Webfilter Profiles > 1. Studio / Standard / Decrypt and Scan / Block All

    Webfilter Profiles > 2. Proxy Group / Standard w AD SSO / Decrypt and Scan

             - within that there is a Webfiltering Policy to a backend AD group

    Here are some screenies.  With this configuration, and "block access on auth fail" checked, I can see usernames in the log on some entries, and I am constantly presented with a login prompt on browsers.

Children
  • "I can see usernames in the log on some entries, and I am constantly presented with a login prompt on browsers."

    Which names appear?  Which accesses show no name?  For which accesses is Browser Authentication required?  Please show one line each from the Web Filtering log for the first two and the relevant lines for a single, unwanted authentication prompt.

    How does your configuration differ from Configuring HTTP/S proxy access with AD SSO?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob

     

    Within Webfilter Profiles > Proxy Group is a Policy tied to a specific AD group.  

    This is a more restrictive group.  When i add / remove a member in the AD group, and sync the UTM, the changes follow, as do policy helpdesk report.  

    Am I correct in thinking that users that do not fall in this group / policy, then are filtered by the base policy of that profile?  Those users are not as restricted.

    I used https://community.sophos.com/kb/zh-cn/115659 when I set this up.  The only thing different, is I use the IP of the UTM for the proxy server settings in IE.

    I added that IP as an intranet site, and set "authentication login with username and password" in the intranet zone.

    I dont see any entries in the client authentication logs.  Just WebAdmin, User Portal, and Authentication Server test boxes.

    I can send you webfiltering logs.  Not sure if posting that here is ill advised.  Let me know.

    And please, if this is not going to work in this kind of environment, let me know.  I've found ways to pretty much get the granularity I need with this.

    But it would be really cool to get this working.  :)

     

    -Brandon

  • Brandon PM'd me with about a dozen lines from the Web Filtering log file?  The three interesting lines from that are

    2016:11:23-18:31:50 vento httpproxy[5480]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.XXX.109" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_HttProContaInterNetwo (Proxy Group)" filteraction=" ()" size="2629" request="0xe14e2400" url="https://clients4.google.com/" referer="" error="" authtime="12" dnstime="0" cattime="0" avscantime="0" fullreqtime="118" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" exceptions=""

    2016:11:23-18:31:50 vento httpproxy[5480]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.XXX.109" dstip="" user="jared" group="" ad_domain="VENTO" statuscode="407" cached="0" profile="REF_HttProContaInterNetwo (Proxy Group)" filteraction=" ()" size="2629" request="0xe14e2400" url="https://clients4.google.com/" referer="" error="" authtime="51" dnstime="0" cattime="0" avscantime="0" fullreqtime="548" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" exceptions=""

    2016:11:23-18:31:59 vento httpproxy[5480]: id="0066" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden application detected" action="block" method="CONNECT" srcip="192.168.XXX.104" dstip="192.243.250.84" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffTransFilte (Transparent Mode Filter)" size="3327" request="0xe1435e00" url="adobemobiledev.sc.omtrdc.net/" referer="" error="" authtime="0" dnstime="3" cattime="194" avscantime="0" fullreqtime="547254" device="0" auth="0" ua="" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" application="ADOBANAL" app-id="1107"

    In the same second, "Jared" (in a VM) is not identified and then identified.  Probably an issue with NTLM.

    Brandon, which access was one where you were asked for browser authentication?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob

     

    I'll throw AD SSO on and grab a better sample today.  I am prompted for credentials on every website.

    Thanks again, for taking a look.

     

    -Brandon

  • To add some info:  

    I turned on auditing for NTLM.

    Here are my settings from the local security policy on the domain controller:

    And on the client PC:

    Are there group policy changes to be made as well?

    I dont see any challenges in the NTLM logs.

    Just this:

  • Brandon sent me another log full of lines where there was a failure to authenticate, but where there was one successful authentication out of dozens.

    First, make sure that the time difference between the UTM and the DC is a few minutes at most.  Next, if it's still not working, un-join the UTM from the domain by using an incorrect name&password combination and then re-join by using valid credentials.  I don't think these will solve your problem and that you will need to enable Kerberos on the DC and change your GPO to distribute an FQDN that points to the IP of "Internal (Address)" instead of the IP itself.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA