Web filtering for AD users

Several things you need to configure, first you need to add your UTM to your AD if you haven't done so already. Next make sure you don't have firewall rules allowing traffic to go over http(s) otherwise your web filtering could be by-passed.

Next in webfiltering you'll need to create a profile where your subnet is in and configure it for AD SSO authentication and perhaps you also would like to tick block access on authentication failure.

Next under policies you need to create a policy where you select an AD group (or individual users) and make sure it's linked to a filter action that just blocks everything. You can then configure the base policy with the normal filter action for the users that do need internet access.

If you want more control on different user(s)(groups) then you can define additional policies and configure corresponding filter actions.

Beware tough that some of the last firmware versions are known to break AD SSO, so first read through the forum on which versions are safe.

Hi,

I have deployed Firmware version 9.5 on a Hyper-V platform, with a W2K12 R2 domain infrastructure. I have joined the UTM to the domain and have imported the groups from AD. However whenever I deploy the group to the filter, it does not seem to do anything at all. I must be getting something wrong somewhere. Does anybody have a clear step-by-step guide because the actual Sophos UTM admin document is very unclear in terms of AD Groups and Web filtering. 

Thanks in advance for any help you guys can provide

In web-filtering live log you can see for each request whether or not a username is listed, if it is, than at least SSO seems to be working. If not, you may need to look up in eventviewer on domain controller what might be wrong.

Which exact 9.5 firmware do you have?

The firmware I have is 

As for the live log, I do not see any specific usernames. What I see is the below:

name="http access" action="pass" method="GET" srcip="192.168.0.112" dstip="XXX.XXX.XXX.184" user="" group="" ad_domain="" statuscode="200"

Event Viewer on my DC does not report much of use. As for the Firewall setting, I have it active but will no rules applied. If I enable the web Filter profile, it will request for Credentials for Authentication to site. However this affects all users on the Internal network, not just the users I want to restrict. 

I have my filter profile called TEST set as :

Allowed Networks = Internal (Network)

Operation Mode = Transparent

Default Auth = AD SSO - Everthing else Unchecked

FOR POLICY I HAVE:

Policy Name = TEST

Users= Test123 (Ad account)

Filter Action Block All Content.

But when I trigger this I only want it to block user test123 but it blocks all users and machines.

The fact that it now blocks all users may have to do with the base policy, since everyone that doesn't match the the Test123 user account, will be handled by the base policy. This would have to be configured in a way that it allows traffic...

However if you don't see any user= than it may either not use the AD SSO authentication or it is failing. Since I haven't upgraded yet to 9.5x I'm not really sure, but I think i've read in some topics that you may have to rejoin the UTM to the domain by first deliberately enter a wrong password and have it check and then entering the right password again and rejoin the domain. If I recall correctly the AD SSO problems in the previous fw is now resolved in the latest but you may need to rejoin.

Hi, Zain, and welcome to the UTM Community!

How does your configuration compare to Configuring HTTP/S proxy access with AD SSO?  The article is aimed at Standard mode but 98% of it applies to Transparent mode, too.

Also, you will want to consider #6 in Rulz.

Cheers - Bob