This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9.5 WEB profile

Dear Team,

I have some issues assigning a web usage policy to my network. what I want to do is pretty simple, still I'm unable to figure it out. Following is my scenario. 

 

01. I have a domain at my network.

02. I have a group in my domain called "internet users" who has internet access.

 

what I want to do is,

I want to block internet access to everyone except for the people in the "internet users" group. users should not ask for any authentication and UTM should check that whether they are in the "internet users" group and allow access accordingly.

what I have done is I have blocked all on the base policy (please refer to the A1 image). then I created a web profile called "internet _allow" and configured it accordingly. (please refer images -1,2,3).

Still this not working for me as expected, kindly advice me where I have mis-configured.

 

Thanks in advance for all the reply's.

 

Regards

 s



This thread was automatically locked due to age.
  • Hey Asankag.

    So I take it you are trying to setup Web Protection with Active Directory Authentication, right? First, check this article, as you seem to be missing some steps.

    Some tips: you are using Stadard mode with Active Directory SSO. How are you telling your endpoints they should use a proxy? You need to either configure proxy settings manually or through GPO or use WPAD for automatic configuration. You could also try using transparent mode with authentication, but I would get standard mode working first.

    For the policy, it appears your are applying a filter action named "Deny" to "Internet_Allow_AD" group. I take it for the name that this filter action denies everything. You should create a new filter policy allowing what you want and change the filter action applied to users inside "Internet_Allow_AD" to this new filter action. That way authenticated users that are in the group "Internet_Allow_AD" would get this filter action while everyone else would get the base policy.

    Regards,

    Giovani

  • Hi Giovani,

     

    Many thanks for the reply. I guess that you need some clarifications...

    01. I have configured proxy in my client pc's manually. I have set the proxy IP as the Lan interface IP of the UTM.

    02. "Deny" rule doesn't block everything. it just blocks few categories.

    03. As I have manually configured the proxy, I dont thing that I need to use transparent mode. am I right?

     

      question - Do I need to set default authentication to active directory SSO. As I have clearly mentioned the group which has internet in the "internet_allow" policy? 

    Regards

  • The system goes though Web Profiles in order, top to bottom, and finds the first profile with a matching Allowed Network.  It then uses that profile.  The profile in "Web Filtering" is the base (lowest priority) profile - you can see that as the bottom row in the Web Filter Policies page.
     
    It makes no sense to have two different Web Filter Profiles with the same Allowed Networks.  The lower priority profile will never get used.
     

    In the highest level profile, set the Default authentication to AD SSO.  Do not turn on block on failure.
     
    Inside that profile, add a policy just like you did.
     
    Inside that profile, the Base Policy is what is used when nothing else matches - in your case when the user did not match.  Se the filter action to the default content filter block option.
     
    Test.
     
    Users that successfully authenticate with AD Single Sign On should hit your filter action deny.  Users that fail the SSO should be blocked as the last action.
     
    Now alternatively turn on the block on failure.  Now watch what happens when the AD SSO fails.
     
    Decide which blocking behavior you like better.
     
     
    If it doesn't work, please describe what it is doing.  You first message "not working for me as expected" does not give us much information to work with.
  • You will want to follow Configuring HTTP/S proxy access with AD SSO.  Also, you might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA