This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web filtering - a little hit and miss?

We have web filtering set up with 2 profiles - IT department & Normal Users

The IT department filter allows users to download whatever they deem fit eg any size, exe's etc whereas the normal users are restricted. Both filters work with transparent auth and we use AD with STAS

The IT department filter is at the top of the list. For the most part, it works.

A normal user coming through the filter will be first checked against the IT department and then dropped onto the normal user profile (because they ain't a member of the IT department). Works all of the time.

However, a member of the IT department is a bit hit and miss and can sometimes download exe's etc but other times is blocked as they fall into the normal users filter.

It's as if they ain't being authenticated as we see their name against the normal filter.

Our AD servers are in an availability group (we have four of them) and STAS is installed on all four.

Any ideas?



This thread was automatically locked due to age.
Parents
  • I'll guess that STAS uses NTLM instead of Kerberos.  If that's the case, then I would guess that the problem is in your AD servers.  I say this because, when using Standard mode, if, in the browser's 'LAN Settings', you use a numeric IP address for the Proxy instead of an FQDN, NTLM is used instead of Kerberos.  One sees occasional auth failures like you describe.

    I'm confused that you would have two separate Profiles instead of a single Profile with two Policies.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I think I might be getting into a little muddle with the web filtering so a little guidance might be needed here.

     

    There are basically 2 types of network - A corp and a guest spread over 50 sites ie corp & guest on each site (100 subnets total)

    Corp subnets = 10.100.0.0/16     <<<< authentication required
    Guest subnets = 172.20.0.0/16    <<<< no authentication required

    So with above, I have both network groups placed in the web filtering global tab (the default profile). It's set to NO authentication on that tab. I'm not sure this is right?

    That default profile has 3 policies (one for corp, one for guest) but these can only apply to users/groups so I have nothing selected in there. The 3rd policy has the IT group with users in it.

    So basically I need a corp profile ( i can specify the networks for these) with which all users on that profile will need authenticated against AD. Within that profile will be the IT policy eg can download etc.

    I then need a "guest profile" with no authentication. I can specify the networks for this profile.

    So, do I enter the guest subnets in the global tab ie the default profile or do I only put the corp networks in there? Then add another profile eg "Guest profile" in the web filter profiles tab and configure the guest profile and filtering from with there for the guest profile?

  • I'm looking through the web filtering manual now and according to it, the default filter on the Web Filtering tab (with the global tab etc) is the last filter that is applied.

    So if I'm reading this right, all other profiles (under web filter profiles) are read first and the default profile is read last?

    So if you have 2 lots of networks (1 corp and 1 guest), do you only enter the corp network in the default profile and then the guest in a new profile?

    And does it matter which order they come in? ie should the default network be the guest network or the corp network?

    I'm finding is slightly confusing because of the default page rather than just have all of the profiles under web filter profiles....

Reply
  • I'm looking through the web filtering manual now and according to it, the default filter on the Web Filtering tab (with the global tab etc) is the last filter that is applied.

    So if I'm reading this right, all other profiles (under web filter profiles) are read first and the default profile is read last?

    So if you have 2 lots of networks (1 corp and 1 guest), do you only enter the corp network in the default profile and then the guest in a new profile?

    And does it matter which order they come in? ie should the default network be the guest network or the corp network?

    I'm finding is slightly confusing because of the default page rather than just have all of the profiles under web filter profiles....

Children
  • Ahhh - two separate networks.  In this case, you do need separate Profiles.  Since you don't need a Transparent and a Standard Profile for either network, the order is unimportant.  If, for example, you wanted a different Policy for before and after working hours, you would put that Policy above the one with no Time Event specified.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    thanks for the fast response (as usual)

    I'm still a little baffled by the way to set it up due to the way the UTM is laid out.

    The first table (where you put the global details in etc), would I be right in assuming this is the very last profile that the UTM looks at?

    So if you want a profile processed before this, you add one in the web filter profiles? It then does this profile first and anything not matching it eg another network will then drop down that list and then go to the default profile?

    So for instance:

    in the default profile, set the authentication to none and the base policy to block so that anything that gets to it will be blocked.

    Then in the web profiles page, add a corp network with AD auth (with appropriate filters) and a guest network with no auth (with appropriate filters)

    So when a user comes from the corp network (and is authenticated), they go though on that. If they ain't authenticated, they fall into the default profile?

    With a guest, as there is no authentication and because the guest network matches, they will go out on the guest network profile ie they will never fail authentication (because there ain't none) and therefore should never get to the default profile?

  • "The first table (where you put the global details in etc), would I be right in assuming this is the very last profile that the UTM looks at?" - Yes, that's the "Default Profile."

    Profiles are chosen based on 'Allowed Networks'.  If you have a Profile for 10.10.0.0/16 above one for 10.10.10.0/24, the second one will never be considered.  You can have a Standard and a Transparent Profile for the same subnet, but the Standard one must come before the Transparent, otherwise, a Proxy request on port 8080 would qualify for the Transparent Profile.

    You can use the Default Profile for the Guest subnet.  Hopefully, my other comments answered your question. Or???

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Cheers Bob,

    Think I've got it now.....

    Cheers