This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web filtering for AD users

I am really struggling with getting my Web filtering to work. All I want to do is restrict access to the internet for certain group of users in AD. How do I do this? It just seems that I can block a host machine but not the user. Problem is the users is not restricted to the one machine. He could log on to different machines within the same domain so I want the web filtering profile to follow the user despite which machines he logs on from.

Thanks



This thread was automatically locked due to age.
Parents
  • Several things you need to configure, first you need to add your UTM to your AD if you haven't done so already. Next make sure you don't have firewall rules allowing traffic to go over http(s) otherwise your web filtering could be by-passed.

    Next in webfiltering you'll need to create a profile where your subnet is in and configure it for AD SSO authentication and perhaps you also would like to tick block access on authentication failure.

    Next under policies you need to create a policy where you select an AD group (or individual users) and make sure it's linked to a filter action that just blocks everything. You can then configure the base policy with the normal filter action for the users that do need internet access.

    If you want more control on different user(s)(groups) then you can define additional policies and configure corresponding filter actions.

    Beware tough that some of the last firmware versions are known to break AD SSO, so first read through the forum on which versions are safe.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hi,

    I have deployed Firmware version 9.5 on a Hyper-V platform, with a W2K12 R2 domain infrastructure. I have joined the UTM to the domain and have imported the groups from AD. However whenever I deploy the group to the filter, it does not seem to do anything at all. I must be getting something wrong somewhere. Does anybody have a clear step-by-step guide because the actual Sophos UTM admin document is very unclear in terms of AD Groups and Web filtering. 

    Thanks in advance for any help you guys can provide

  • In web-filtering live log you can see for each request whether or not a username is listed, if it is, than at least SSO seems to be working. If not, you may need to look up in eventviewer on domain controller what might be wrong.

    Which exact 9.5 firmware do you have?


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • The firmware I have is 

    Firmware version:   9.502-4

    As for the live log, I do not see any specific usernames. What I see is the below:

    name="http access" action="pass" method="GET" srcip="192.168.0.112" dstip="XXX.XXX.XXX.184" user="" group="" ad_domain="" statuscode="200"

    Event Viewer on my DC does not report much of use. As for the Firewall setting, I have it active but will no rules applied. If I enable the web Filter profile, it will request for Credentials for Authentication to site. However this affects all users on the Internal network, not just the users I want to restrict. 

    I have my filter profile called TEST set as :

    Allowed Networks = Internal (Network)

    Operation Mode = Transparent

    Default Auth = AD SSO - Everthing else Unchecked

    FOR POLICY I HAVE:

    Policy Name = TEST

    Users= Test123 (Ad account)

    Filter Action Block All Content.

    But when I trigger this I only want it to block user test123 but it blocks all users and machines.

Reply
  • The firmware I have is 

    Firmware version:   9.502-4

    As for the live log, I do not see any specific usernames. What I see is the below:

    name="http access" action="pass" method="GET" srcip="192.168.0.112" dstip="XXX.XXX.XXX.184" user="" group="" ad_domain="" statuscode="200"

    Event Viewer on my DC does not report much of use. As for the Firewall setting, I have it active but will no rules applied. If I enable the web Filter profile, it will request for Credentials for Authentication to site. However this affects all users on the Internal network, not just the users I want to restrict. 

    I have my filter profile called TEST set as :

    Allowed Networks = Internal (Network)

    Operation Mode = Transparent

    Default Auth = AD SSO - Everthing else Unchecked

    FOR POLICY I HAVE:

    Policy Name = TEST

    Users= Test123 (Ad account)

    Filter Action Block All Content.

    But when I trigger this I only want it to block user test123 but it blocks all users and machines.

Children
  • The fact that it now blocks all users may have to do with the base policy, since everyone that doesn't match the the Test123 user account, will be handled by the base policy. This would have to be configured in a way that it allows traffic...

    However if you don't see any user= than it may either not use the AD SSO authentication or it is failing. Since I haven't upgraded yet to 9.5x I'm not really sure, but I think i've read in some topics that you may have to rejoin the UTM to the domain by first deliberately enter a wrong password and have it check and then entering the right password again and rejoin the domain. If I recall correctly the AD SSO problems in the previous fw is now resolved in the latest but you may need to rejoin.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hi, Zain, and welcome to the UTM Community!

    How does your configuration compare to Configuring HTTP/S proxy access with AD SSO?  The article is aimed at Standard mode but 98% of it applies to Transparent mode, too.

    Also, you will want to consider #6 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA