This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Protection/Proxy GPO

Hello

 

We are using an SG210 running 9.411-3.

 

The UTM is already the default gateway for all of our servers.  I intend to use AD groups for SSO.  Is it necessary for me to publish a GPO to each user or server saying it's web proxy is the UTM?

 

Many thanks



This thread was automatically locked due to age.
Parents
  • As already very well explained by Kevin, you should use WPAD in combination with DNS or DHCP option 252 when you enable Standard Mode with Active Directory SSO. That's the most centralized and recommend way to tell your browsers that they should be using a proxy. I personally usually set both DHCP and DNS to tell the browsers where to find wpad.dat. 

    I'd also take a look at Transparent Mode with Active Directory SSO, that is supported by Sophos UTM since 9.2: https://community.sophos.com/kb/en-us/120791. This bypasses the need to configure wpad.dat at all, as the UTM should be able to intercept the communication and request the browser to authenticate transparently. Please, do pay attention to the "Prerequisites" from the link. They really need to be met for this to work. This is the option I've been using lately. 

    Another option is to use STAS: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/STAS_manual-en.pdf?la=en. STAS maps the user logon to the endpoint IP address, so you don't need to tell your endpoint to use a proxy at all. It's a little (ok, maybe a lot) more painful to get going, but once it's working it's awesome, as you can even create firewall rules based on the AD username. If you are willing to try STAS, remember that you should use Transparent Mode with Agent authentication on Web Protection, since STAS acts as an agent and not as SSO. It's a bit cutting edge still, but I managed to get it working on my latest setup.

    Regards,

    Giovani

Reply
  • As already very well explained by Kevin, you should use WPAD in combination with DNS or DHCP option 252 when you enable Standard Mode with Active Directory SSO. That's the most centralized and recommend way to tell your browsers that they should be using a proxy. I personally usually set both DHCP and DNS to tell the browsers where to find wpad.dat. 

    I'd also take a look at Transparent Mode with Active Directory SSO, that is supported by Sophos UTM since 9.2: https://community.sophos.com/kb/en-us/120791. This bypasses the need to configure wpad.dat at all, as the UTM should be able to intercept the communication and request the browser to authenticate transparently. Please, do pay attention to the "Prerequisites" from the link. They really need to be met for this to work. This is the option I've been using lately. 

    Another option is to use STAS: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/STAS_manual-en.pdf?la=en. STAS maps the user logon to the endpoint IP address, so you don't need to tell your endpoint to use a proxy at all. It's a little (ok, maybe a lot) more painful to get going, but once it's working it's awesome, as you can even create firewall rules based on the AD username. If you are willing to try STAS, remember that you should use Transparent Mode with Agent authentication on Web Protection, since STAS acts as an agent and not as SSO. It's a bit cutting edge still, but I managed to get it working on my latest setup.

    Regards,

    Giovani

Children