Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 4 answers
  • Subscribers 34 subscribers
  • Views 14739 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to use multiple AD groups for web filtering.

Vinod V

We have created two AD groups 'Allow gmail' & 'Allow facebook' and imported both into Sophos. The user U1 is the member of both groups and the primary group is 'Domain Users' in AD. Then we created two separate web filter policies for  'Allow gmail' & 'Allow facebook'. When the user U1 logon only the 'Allow gmail' is applied and access to facebook is blocked. If we remove U1 from either of the groups, the remaining policy works fine. So, How can keep U1 member of multiple AD groups and apply the corresponding web-filter policy for each group. 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Vinod,

    As per the current XG architectur, AD users can bee associate with any one single firewall group. When an AD user belong to multiple groups, XG map the user's group based on the group's order by searching the group list following the top-down approach, the first group that matches is considered the user's group and the corresponding group policies are applied to the user. For detail understanding refer below KB article.

    Good Luck!!!

    Regards, Ronak.

  • 0 in reply to Ronak Sheth

    Hi Ronak,

    I have the same problem with Vinod. So, could you please advice any way to do Vinod's concept?

    Thanks,
    Minh

  • 0 in reply to Minh Pham

    Hi Minh ,

     

    In an nutshell, one user can only be associated with one group . So you have to manage them individually.

  • 0 in reply to Aditya Patel

    Why is it designed this way? This makes it very restrictive and difficult to apply users to rules when they are part of multiple AD groups. If a user is a member of 10 groups, you can only take advantage of one of the groups they are in? What if the user is sync'd to XG - not showing up on the XG in the group that you need them to be in?

Reply
  • 0 in reply to Aditya Patel

    Why is it designed this way? This makes it very restrictive and difficult to apply users to rules when they are part of multiple AD groups. If a user is a member of 10 groups, you can only take advantage of one of the groups they are in? What if the user is sync'd to XG - not showing up on the XG in the group that you need them to be in?

Children
  • 0 in reply to S248

    In AD I simply created 3 groups (as many as I needed) User / Manager / Administrator

     

    Then I added the users to the respective groups. In STAS I set it to only import those three groups - not the user OUs.

    Then my web policies are applied to those groups - so no Facebook etc to the user group but allow to Managers etc.

     

    So between groups, Global Blacklists etc most users get what they need and I control usage fine. Its quite easy.

    The one I haven't worked out is VPN users as they need to be local users due to the multiple group issue.

  • 0 in reply to M8ey

    When you say "Then I added the users to the respective groups." did you add the users to the group in Active Directory or did you add the users to the group via the XG GUI?

  • +1 in reply to M8ey

    I added the users to the groups in AD so the XG automatically imports them via STAS and sets group.

     

    Then the web policies kick in as they are applied to the groups.

    The only part you might need to monitor is if a user needs an elevation to a new group as STAS will think he stays in the old so you need to remove the user from Users and get them to log out and back in then STAS picks up the new setting.