UTM 9.5 WEB profile

Question

Dear Team, 
 I have some issues assigning a web usage policy to my network. what I want to do is pretty simple, still I'm unable to figure it out. Following is my scenario. 
 
 01. I have a domain at my network. 
 02. I have a group in my domain called "internet users" who has internet access. 
 
 what I want to do is, 
 I want to block internet access to everyone except for the people in the "internet users" group. users should not ask for any authentication and UTM should check that whether they are in the "internet users" group and allow access accordingly. 
 what I have done is I have blocked all on the base policy (please refer to the A1 image). then I created a web profile called "internet _allow" and configured it accordingly. (please refer images -1,2,3). 
 Still this not working for me as expected, kindly advice me where I have mis-configured. 
 
 Thanks in advance for all the reply's. 
 
 Regards 
 s

Michael Dunn · Accepted Answer

The system goes though Web Profiles in order, top to bottom, and finds the first profile with a matching Allowed Network. It then uses that profile. The profile in "Web Filtering" is the base (lowest priority) profile - you can see that as the bottom row in the Web Filter Policies page. 
 
 It makes no sense to have two different Web Filter Profiles with the same Allowed Networks. The lower priority profile will never get used. 
 
 In the highest level profile, set the Default authentication to AD SSO. Do not turn on block on failure. 
 
 Inside that profile, add a policy just like you did. 
 
 Inside that profile, the Base Policy is what is used when nothing else matches - in your case when the user did not match. Se the filter action to the default content filter block option. 
 
 Test. 
 
 Users that successfully authenticate with AD Single Sign On should hit your filter action deny. Users that fail the SSO should be blocked as the last action. 
 
 Now alternatively turn on the block on failure. Now watch what happens when the AD SSO fails. 
 
 Decide which blocking behavior you like better.

If it doesn't work, please describe what it is doing. You first message "not working for me as expected" does not give us much information to work with.

BAlfson · Answer

You will want to follow Configuring HTTP/S proxy access with AD SSO . Also, you might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests." If you would like me to send you this document, PM me your email address. I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013. 
 Cheers - Bob