Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 10689 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall can't even do Windows integrated authentication?!

Someone7272

We're trying to switch over to XG from UTM Home 9.4 after encountering an unresolvable problem which requires us to discontinue use of the product. I decided XG Home might be a good alternative...

Until it became apparent that it can't seem to do an explicit proxy with integrated authentication like the UTM could.

I've looked around, and can only seem to find authentication solutions which require the installation of a client-side piece of software. This is not an option.

So does anybody know whether XG Firewall can handle Windows integrated authentication like UTM 9 could, and if so, can you provide comprehensive instructions on how to set this up. Thanks.



Edited Tags
[edited by: Erick Jan at 11:54 PM (GMT -7) on 15 Sep 2022]
Parents
  • 0

    Hi There,

    Are you using AD in the backend? I'm not in the position to do comprehensive instructions for you and I'm assuming that when you say Windows authentication you're referring to NTLM also know as Active Directory SSO in UTM?

    Quite easily achievable on the XG:

    1. Add the Authentication Server "System > Authentication > Authentication Server"

    2. Enable the Authentication Server "System > Authentication > Firewall Authentication Methods"

    3. Enable NTLM for the Zones needed under "System > Administration > Device Access"

    4. Then ensure that the Explicit proxy port you're using is enabled under "Protection > Web Protection > Web Proxy"

    5. Enable User Identity on the User/Network Policy.

    NTLM has become less and less relevant, with most of the internet being HTTPS and some modern devices(tablets and phones) not supporting it.

  • 0 in reply to BenVerschaeren

    Thank you, this has partially helped me. I think the problem was that I forgot step 3, because I assumed we were using Kerberos rather than NTLM. Is Kerberos also enabled when enabling NTLM? At the moment I'm accessing the proxy with its IP address, but when this moves into production, we'll use a hostname and WPAD file. NTLM might cause problems with hostnames.

    Also, I am unable to force web traffic to be exclusive to the proxy. If I disable the proxy settings, I can still access the web, unauthenticated. Is there any way to prevent this?

    With regards to mobile devices and tablets, this isn't a problem because they connect to a separate wireless SSID which has its own subnet. We still use AD to authenticate mobile devices and tablets here, independently from Sophos XG with WPA2 Enterprise.

Reply
  • 0 in reply to BenVerschaeren

    Thank you, this has partially helped me. I think the problem was that I forgot step 3, because I assumed we were using Kerberos rather than NTLM. Is Kerberos also enabled when enabling NTLM? At the moment I'm accessing the proxy with its IP address, but when this moves into production, we'll use a hostname and WPAD file. NTLM might cause problems with hostnames.

    Also, I am unable to force web traffic to be exclusive to the proxy. If I disable the proxy settings, I can still access the web, unauthenticated. Is there any way to prevent this?

    With regards to mobile devices and tablets, this isn't a problem because they connect to a separate wireless SSID which has its own subnet. We still use AD to authenticate mobile devices and tablets here, independently from Sophos XG with WPA2 Enterprise.

Children
No Data