Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 0 subscribers
  • Views 5071 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WebAppliance - Users authenticating with IP address rather than usernames.

Eastleigh-BC

We have a handful of people that are having web requests authenticated by IP addresses rather than usernames. We are led to believe that this is nothing to do with the appliance, but wondered if anyone else had come across this?

We have a few hundred users, using Windows and IE. Most people are authenticating to the appliance by username, meaning that the policies defined for their username or AD groups that they belong to are applying OK.

We have a handful of users that are authenticating by IP address, meaning that policies aren't applying and reports are inacurate.

We are not aware of any differences in the PC config or the users AD settings and we beleive that all users are having the same AD policies apply.

Any ideas where we might look?

:41479


This thread was automatically locked due to age.
Parents
  • 0
     

    Just a thought... Perhaps it's an Application that is running on the machine/s in question? - The application may support web proxies (If that's how you've configured the client access) but do not support proxy authentication, and is therefore not sending the NTLM credentials of the logged on user.

    Sophos will then report that it sees the machines IP and not the user.

    Running a NETSTAT command on the source computers may help you. E.g.

    netstat -ano

    netstat -ao

    These will show you the PID (Process ID) of the running processes (which you can then compare in Task Manager)  and you can in-turn compare the destination addresses reported in Sophos Vs the output of the netstat command.

    I know it's a pain. This is the reason for me raising a recent feature request to have far better logging and reporting in the Web Appliance console.

    We are currently using our ISA / TMG server to give us an insight as to what the traffic is doing and then amend the Sophos Web Appliance from there. Often its a case of adding an Applications User Agent string into the Appliance.

    Your case may be something completely different though. So just a thought...

    Good luck!

    John

    :42404
Reply
  • 0
     

    Just a thought... Perhaps it's an Application that is running on the machine/s in question? - The application may support web proxies (If that's how you've configured the client access) but do not support proxy authentication, and is therefore not sending the NTLM credentials of the logged on user.

    Sophos will then report that it sees the machines IP and not the user.

    Running a NETSTAT command on the source computers may help you. E.g.

    netstat -ano

    netstat -ao

    These will show you the PID (Process ID) of the running processes (which you can then compare in Task Manager)  and you can in-turn compare the destination addresses reported in Sophos Vs the output of the netstat command.

    I know it's a pain. This is the reason for me raising a recent feature request to have far better logging and reporting in the Web Appliance console.

    We are currently using our ISA / TMG server to give us an insight as to what the traffic is doing and then amend the Sophos Web Appliance from there. Often its a case of adding an Applications User Agent string into the Appliance.

    Your case may be something completely different though. So just a thought...

    Good luck!

    John

    :42404
Children
No Data
Unfiltered HTML