Sophos Firewall

Discussions XG not recognising my account as part of an OU

Sophos Firewall requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 3 replies
Subscribers 27 subscribers
Views 3288 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG not recognising my account as part of an OU

S248 over 7 years ago

I have set up a web filtering policy and applied it to a firewall rule.

When I clear the Match known users checkbox, it blocks me as expected.
When I enable the Match known users checkbox and then select my username which has been synchronised using STAS, it blocks me as expected.
When I enable the Match known users checkbox and then select the OU I imported from Active Directory which has my account in it, it does not block me. I am definitely a member of the OU I imported from Active Directory.

It seems like the XG doesn't know that i am a member of that OU.

Any ideas?

This thread was automatically locked due to age.

Parents

0 S248 over 7 years ago

I have read through this article https://community.sophos.com/kb/en-us/123161#Integrate%20Sophos%20Firewall%20with%20AD

And it sounds like the XG will only ever consider the user part of one group. But I need to configure different web filtering policies for different users, e.g. only Marketing team to access facebook, block everyone else. Then only allow the finance team to access financial sites, and deny all others.

How can i achieve this?
Cancel
Vote Up 0 Vote Down

Cancel
0 DomeP over 7 years ago in reply to S248

The Webfilter will request via LDAP if the user is member of the certain group.
As long as this is not the primary group (because this is not transmittet via the "member of" request) the webfilter will know that users are member of different groups.

But in the Sophos authetication menu a user can only be member of one group. This schould be fixed in an upcoming release.

You configure these settings in the webfilter policy, not in the firewall rule.

MFG
Dome
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 DomeP over 7 years ago in reply to S248

The Webfilter will request via LDAP if the user is member of the certain group.
As long as this is not the primary group (because this is not transmittet via the "member of" request) the webfilter will know that users are member of different groups.

But in the Sophos authetication menu a user can only be member of one group. This schould be fixed in an upcoming release.

You configure these settings in the webfilter policy, not in the firewall rule.

MFG
Dome
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 S248 over 7 years ago in reply to DomeP

I've now cleared the checkbox on the firewall rule, and only specified the OU under the web filtering rule instead of specifying Anybody.

When i set it to Anybody, the web filter works. Because i count as Anybody.

When i set it to OU=All Staff (which i am definitely a member of), web filtering doesn't work.

I have confirmed my AD servers test connection works from the XG as well.

I have discovered this post https://community.sophos.com/products/xg-firewall/f/authentication/98172/unable-to-use-multiple-ad-groups-for-web-filtering

Is this true for web filtering and how it works on the XG? This was never the case on the UTM. With UTM I could be very granular with which security groups could access certain resources. Is this a feature missing from XG now? Or could i have config wrong somehow? What should i check?
Cancel
Vote Up 0 Vote Down

Cancel