Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 7086 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Webfilter based on AD-Groups only working if I add the AD-Group into "Prefetch Directory Users"

AlbertoMancheno Sanchez

Hi there,

i'm having some issues configuring the Web Protection on our UTMs running 9.506-2.

 

I have configured the AD-SSO and joined the Domain, the Option "Enable AD group membership background sync" is also active and working propperly.

I have created a Web Filter Profile in transparent mode listening to our internal Networks, on the tab Policies i've created some policies based on AD-Group Membership

The authentication is working, the users are recognized but they aren't assigned to the group until I add the group into "Prefetch Directory Users" i don't know if it's an intended behavior, is it? I don't realy need the user objects in the UTM.

If I check the policiy under Policy Helpdesk it seems to be working, but it isn't.

 

Any ideas, maybe i'm completly wrong on my understanding how this should work.

 

Best Regards,

Alberto Mancheño.



This thread was automatically locked due to age.
  • 0

    Hallo Alberto - first I've seen you post here - welcome to the UTM Community!

    You only should need to select 'Enable AD group membership background sync' and not sync the user objects unless #6 in Rulz applies.  I would delete the unnecessary users from the UTM.

    Sometimes the join between the UTM and AD "sours" and has to be redone.  Try un-joining on the 'Single Sign-On' tab by using incorrect credentials, then use correct credentials to rejoin.  Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    thank you for your work here. Re-joining the domain didn't work, the UTM still doesn't recognize the gruop membership of the users unless the groups are prefetched. We definetly are only syncing the groups when we weed a user object (OTP users, VPN users, Webadmin).

    We do have this issue on our 4 UTM (SG210 and SG105) all running the same FW Version 9.506-2.

    I'm also getting some other errors in the webfilter log:

    2017:12:22-07:14:34 red-1 httpproxy[6062]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="587" message="reloading config"

    2017:12:22-08:24:45 red-1 httpproxy[29963]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xda83ec00" function="ssl_raw_read" file="ssl.c" line="769" message="SSL_ERROR_SYSCALL: ret=-1 error=Connection reset by peer"

    2017:12:22-08:29:56 red-1 httpproxy[29963]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="plain_write_vector" file="epoll.c" line="1117" message="Write error on the epoll handler 350 (Connection refused)"

    2017:12:22-08:33:45 red-1 httpproxy[29963]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="587" message="reloading config"

    2017:12:22-08:38:51 red-1 httpproxy[29963]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xda648000" function="fileextension_scan" file="fileextensionscanner.c" line="150" message="error converting file name to utf-8 from x-user-defined: Conversion from character set 'x-user-defined' to 'UTF8' is not supported"

    Could those errors be the droblem? I can't really tell what they mean.

    (I'll be back at work on january, so don't be mad if i don't answer you untill then)

     

    I wish you all happy christmas and a happy new year!
    Best regards,

    Alberto.

     

     

  • 0 in reply to AlbertoMancheno Sanchez

    Keine Ahnung !  I would definitely get Sophos Support involved, Alberto.

    Best wishes for the Holiday Season to all, too!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML