Hello all.
I've been a UTM user for about 3 years. Never had a need to post in here, as I can usually find my answers within. Webfiltering seems to be the hardest beast for me to tame, but I'm close. I am a server admin, networking / firewall is not my strong point, so some of this might sound noobish. This UTM is being used at home, not in a business setting.
I have Webfiltering enabled, with a base policy in transparent mode with no authentication, URL filtering only. It works great. People off the street that can connect to wifi hit this profile, and it works as intended. Allowed network is set to internal network, so this will grab anyone that is not in the profile below.
I have a Webfiltering profile that runs in standard mode, HTTPS decrypt and scan. The base policy here is completely unlimited, so if you are not in the about to be mentioned AD group, you get a pass. The sub policy regulates a AD group with tighter filtering settings, and it applies to the AD group as intended. Works absolutely perfect. Allowed networks are set to a group of computers. Proxy settings are deployed with a GP. Browser authentication works perfectly, SSO does not. I see the user in the logs, and what is being applied.
In Client Authentication > Allowed Users and Groups are my backend groups, allowed to authenticate to internal network.
In Authentication Services > Servers, my Bind DN and User tests work perfect and reflect group memberships. My mydomain.local shows up in Single Sign-On, there is an AD object that the UTM created. It's active, everything looks OK.
I do not have a FQDN. From what I have read, this makes things tricky. I have a dyn address. If you guys tell me, yeah, thats the kicker, then this is where we stop.
I feel like the UTM is properly configured. I have tried a million different combinations on the client side. Even created a dns name / host entry pointing to the Internal interface. I figured hey, why not. From what I understand, FQDN will use kerberos, IP will use NTLM. I have tried all sorts of combinations using IPs, dns names, intranet site settings, trusted sites, and so on. I feel like it is a client side thing, but I am not so sure. I did find a MS article with a testing method for NTLM and kerberos, and it came up positive. It was a loopback / capture test. I never see users properly identified in the webfiltering logs. I dont see anything in the authentication logs, and no challenges in the server security logs.
The only time it does work, is if I use my dyndns address. But, I feel like that is a terrible idea, as it resolves to my external interface, and seems incredibly counterintuitive and un safe.
Blah, let me know what you guys think. Can this be done without an fqdn? Do I need to give BAlfson a VPN connection?
A pleasure to post here.
-Brandon
This thread was automatically locked due to age.
