Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 27 subscribers
  • Views 3074 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SATC and Web Filter Issues

Nidus

We have a Server 2016 remote desktop server that I have installed the SATC onto to try and get the web filter on our Sophos XG working for the RDS workers.

 

I can see users authenticating in the Live Users list on the XG and they are marked as Thin Client users coming from the RDS IP address.

 

When I enable the web filtering rule any web request is blocked instantly (I've had to temporarily put in a bypass rule at the top of the firewall policies to avoid impacting users)

 

We have 5 web filtering rules which should be getting activated when we try and browse the web without the bypass in place which ties into the Groups for web access (Allow All Web etc.)

 

These 5 rules work for non-RDS users it just seems to be affecting anything using the RDS/SATC setup.

 

Any help appreciated!



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Could you please try the below configuration?

    1. Create a source IP based firewall rule for Server and do not apply any policy on the rule.

    2. Create a second firewall rule just below the above rule and with "Match Known user" and apply all content filtering.

    Please check and let me know.

  • 0 in reply to Keyur

    Thanks for the response.

     

    Just to clarify:

     

    Two new rules, the top one being: Source Zone = LAN, Source Device = RDS, Destination = WAN and no other settings set

    Below this a rule matching the above source and destination but with the content control for each web filtering group (so for example we have; All Web Access, Restricted Web Access, No Web Access)

     

    Have I got that right?

  • 0 in reply to Nidus

    Hi  

    First Firewall Rule > No Source LAN, No Source IP, same for WAN, Enable "Match known user" and select the STAC users and their respective web and app polices.

    Second Firewall rule > Source LAN, Source Device - RDS. Destination WAN and Apply MASQ and no other settings.

    The rule Order should be as below.

    Match know user rules should be on top, below this the RDP rule should be place

  • 0 in reply to Keyur

    Hi,

     

    Sorry you've confused me somewhat, I can't make a firewall rule with No Source/Destination?

  • 0 in reply to Nidus

    Maybe i got your request wrong but: if you are talking about service RDS, you are "not" on the Terminal service in this step, isnt it? 

    Client builds up a RDS Session to TS. 

    TS spawn the instances and SATC authenticates this instance with Username "Client" to XG.

    "Client" builds a HTTPs connection to the Internet.

     

    Firewall Rule: 

    Client (IP or STAS etc.) allow RDS to TS.

    "Client" (Username in SATC) allow HTTPs to the Internet. 

  • 0 in reply to LuCar Toni

    That's essentially right yes.

    So for example, User1 connects to the RDS server (this bit obviously works fine) and uses that for all work, SATC is installed on this RDS server and I can see User1 authenticating in the Live Users area as a "Thin Client" user from the RDS IP address, but when I enable the web filtering rules I already had in place, all web access is blocked regardless of the users group membership

Reply Children
  • 0 in reply to LuCar Toni

    Hi,

     

    I've tried that Chrome fix but no help I'm afraid, in fact it affects any browser on the RDS.

    Users can connect to the RDS fine it's just when they try and browse the Internet or connect anything Internet based (Office 365) is when they get blocked.

     

  • 0 in reply to Nidus

    Lets wrap this up: They cannot access the internet, but other traffic works fine? 

    So if you allow certain users to use ICMP, they can do it? 

    Does the proxy work for other clients? 

    Could you please post a screenshot of the Firewall rule, matching for those users? 

    Please post a screenshot of a block page. 

  • 0 in reply to LuCar Toni

    Apologies for the delay, I had to schedule in a reboot of the XG itself as it stopped logging traffic.

     

    Normal traffic works fine on the RDS, but Internet browsing is blocked, if I set the firewall so it incorrectly blocks web traffic, users can still use ICMP.

     

    The web filter works for clients that don't use the RDS, they authenticate fine using their Heartbeat and web filtering is applied normally.

     

    I've attached some screenshots of the rule we use to allow certain users to the use the Internet regardless (i.e. Web access is allowed but nothing is blocked for admin use) and below those is the block page that appears regardless of the website you go to and which group member you are part of. We have other rules which matches users to their respective web access group (restricted, no access etc.)