Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 3286 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG not recognising my account as part of an OU

S248

I have set up a web filtering policy and applied it to a firewall rule.

  • When I clear the Match known users checkbox, it blocks me as expected.
  • When I enable the Match known users checkbox and then select my username which has been synchronised using STAS, it blocks me as expected.
  • When I enable the Match known users checkbox and then select the OU I imported from Active Directory which has my account in it, it does not block me. I am definitely a member of the OU I imported from Active Directory.

It seems like the XG doesn't know that i am a member of that OU. 

Any ideas?



This thread was automatically locked due to age.
Parents
  • 0

    I have read through this article https://community.sophos.com/kb/en-us/123161#Integrate%20Sophos%20Firewall%20with%20AD

    And it sounds like the XG will only ever consider the user part of one group. But I need to configure different web filtering policies for different users, e.g. only Marketing team to access facebook, block everyone else. Then only allow the finance team to access financial sites, and deny all others. 

    How can i achieve this? 

  • 0 in reply to S248

    The Webfilter will request via LDAP if the user is member of the certain group.
    As long as this is not the primary group (because this is not transmittet via the "member of" request) the webfilter will know that users are member of different groups.

    But in the Sophos authetication menu a user can only be member of one group. This schould be fixed in an upcoming release.

    You configure these settings in the webfilter policy, not in the firewall rule.

     

    MFG
    Dome

  • 0 in reply to DomeP

    I've now cleared the checkbox on the firewall rule, and only specified the OU under the web filtering rule instead of specifying Anybody.

    When i set it to Anybody, the web filter works. Because i count as Anybody.

    When i set it to OU=All Staff (which i am definitely a member of), web filtering doesn't work.

    I have confirmed my AD servers test connection works from the XG as well.

     

    I have discovered this post https://community.sophos.com/products/xg-firewall/f/authentication/98172/unable-to-use-multiple-ad-groups-for-web-filtering

    Is this true for web filtering and how it works on the XG? This was never the case on the UTM. With UTM I could be very granular with which security groups could access certain resources. Is this a feature missing from XG now? Or could i have config wrong somehow? What should i check?

Reply Children
No Data