This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Chrome/IE11 not passing group to web filter

Hello All

 

I am running Sophos UTM 9.503-4 with Web Filtering via transparent mode and ADSSO auth.  I am testing with a current version of Chrome and IE11.  I have reviewed the best practices for DNS and running transparent mode with ADSSO.  The problem:  The group that user belongs to is not getting passed to the webfilter, therefore the incorrect policy is applied.  I have 5 policies in one of my LAN profiles and it always applies the default policy.

The user name is getting passed to the Web Filter.  The domain is getting passed to Web Filter.  I can see this in the logs.  I'm looking for a place to start troubleshooting this....

Here is an example log entry: 

<30>2017:09:14-12:37:13 router-1 httpproxy[6544]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.100.214" dstip="204.79.197.203" user="3333" group="" ad_domain="HANB" statuscode="200" cached="0" profile="REF_HttProHaWebfilte (HA - Internal LAN ADSSO)" filteraction="REF_DefaultHTTPCFFBlockAction (HA - Default Filter Action)" size="8362" request="0x181a8000" url="https://www.msn.com/" referer="" error="" authtime="377" dnstime="3" cattime="66" avscantime="0" fullreqtime="40494449" device="1" auth="2" ua="" exceptions="" category="141" reputation="trusted" categoryname="Portal Sites" country="United States" application="msn" app-id="311"

 

Cheers,  Dale



This thread was automatically locked due to age.
  • Your analysis seems generally correct.   auth="2" indicates that Active Directory authentication was used, and the presence of the username and domain indicates that the NTLM information was received.   I don't know that the group="" ever contains data in my system, so I t.

    Have you tried the Test option in the Authentication Server setup?   The detected group memberships will be displayed after you enter a valid username and password.  9.408 returns false failures, but I think it works on all other releases.

    Beyond that, I would start checking to see if policies that  you want to activate are really turned on for the Filter Profile that is being applied. 
    Otherwise I am stumped at the moment.

  • "Group" does populate in our log, Doug, so, Dale, I think you have a problem with the Backend Group definition.

    How does your configuration compare to Configuring HTTP/S proxy access with AD SSO?  Although the article is aimed at Standard mode, 98% of it applies to Transparent mode, too.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA