This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos - OSX & PAC file

Morning,

We currently use a dedicated WA for Apple Mac users with SSO enabled. We are wanting to move to using a PAC file deployment for the MACs.

 

We currently have a WA / PAC file for Windows OS which works as needed so I copied the file and changed a couple of details to point the different appliance however upon deploying the PAC file Safari constantly requests user name and password for authentication.

 

Is there something that I need to configure elsewhere?

 

Thanks



This thread was automatically locked due to age.
Parents
  • few questions:

    Are these appliances joined to a management appliance?

    Do you have use SSO for macs and was it enabled before enabling auth.. swa.sophos.com/.../ConfigSysAuthKerberos.html

    Are you using a captive portal?

    In your default authentication profile do you have "authenticate every request enabled"

    have you configured https scanning?

    if your environment 100% mac, or 50/50?

    if you view the logs are you sure that sso for mac is working properly (ie the U="-" or U="domain\user\"?

     

    reference.

    Authentication KB: community.sophos.com/.../126599

    Proxy config: http://swa.sophos.com/webhelp/swa/tasks/UsersBrowserConfiguration-Safari.html?hl=safari

    (verify the sophos test and eicar tests work)

  • Are these appliances joined to a management appliance?

    This is a single appliance just used for Mac devices.

    Do you have use SSO for macs and was it enabled before enabling auth.. swa.sophos.com/.../ConfigSysAuthKerberos.html

    SSO is enabled and correctly configured, it is working currently for the macs.

    Are you using a captive portal?

    Captive portal is disabled.

    In your default authentication profile do you have "authenticate every request enabled"

    We currently don't have any profiles set up, just SSO and block access on authentication failure.

    have you configured https scanning?

    HTTPS scanning is currently disabled.

    if your environment 100% mac, or 50/50?

    100% mac for this appliance.

    if you view the logs are you sure that sso for mac is working properly (ie the U="-" or U="domain\user\"?

    We don't have proper logging enabled so I will set up an FTP host and turn this on however searching through reports I can locate users using the proxy correctly.

    The issue seems to fall with just using the PAC file.

     

    Thank You

Reply
  • Are these appliances joined to a management appliance?

    This is a single appliance just used for Mac devices.

    Do you have use SSO for macs and was it enabled before enabling auth.. swa.sophos.com/.../ConfigSysAuthKerberos.html

    SSO is enabled and correctly configured, it is working currently for the macs.

    Are you using a captive portal?

    Captive portal is disabled.

    In your default authentication profile do you have "authenticate every request enabled"

    We currently don't have any profiles set up, just SSO and block access on authentication failure.

    have you configured https scanning?

    HTTPS scanning is currently disabled.

    if your environment 100% mac, or 50/50?

    100% mac for this appliance.

    if you view the logs are you sure that sso for mac is working properly (ie the U="-" or U="domain\user\"?

    We don't have proper logging enabled so I will set up an FTP host and turn this on however searching through reports I can locate users using the proxy correctly.

    The issue seems to fall with just using the PAC file.

     

    Thank You

Children
  • It’s like you were reading my answer sheet.. hah, sounds *** your configured correctly.. im assuming that when you enter the ip port 8080 it works..

    The answer to those questions generally rule out appliance configuration.. the remaining issues would be the pac file, the hosting of the file or routing (ie your double web filtering or filtering the website that is hosting the pac file its self..

    Always good to ensure any local ip’s are omited from the proxy as we dont want to send that traffic to the gateway and have it come back..

    Check out this post and modify the sample to fit your test network.. also included are some other pac file resources..

    As long as you can set the proxy address manually on port 8080 and go to sophostest.com, click on adult and get a block page your traffic is hitting the proxy and been filtered.

    Cheers