Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 4 answers
  • Subscribers 34 subscribers
  • Views 14739 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to use multiple AD groups for web filtering.

Vinod V

We have created two AD groups 'Allow gmail' & 'Allow facebook' and imported both into Sophos. The user U1 is the member of both groups and the primary group is 'Domain Users' in AD. Then we created two separate web filter policies for  'Allow gmail' & 'Allow facebook'. When the user U1 logon only the 'Allow gmail' is applied and access to facebook is blocked. If we remove U1 from either of the groups, the remaining policy works fine. So, How can keep U1 member of multiple AD groups and apply the corresponding web-filter policy for each group. 



This thread was automatically locked due to age.
Parents
  • 0

    I think there's a bit of confusion in this, I too thought you got one group, the group your user was mapped too on the XG, and that was it. However, you aren't.

    I don't know if it is any different if you use NTLM, we exclusively use STAS, but as long as your user is in the group that your firewall rule uses to map to your web policy you can have other AD groups in that policy (as long as you have imported them).

    For example, we've a site with AD groups for Twitter and Youtube access along side the usual Staff and Student groups. The users all show as being in either Staff or Students in the XG users list. I've imported the Twitter and Youtube AD groups into the XG and in my web policy I've mapped these two groups to permit the relevant categories before the Staff and Student block lists. In the filter logs I can see the right people being reported in the respective groups.

    I stumbled across this totally unexpectedly - I was pleasantly surprised when I did though.

  • 0 in reply to carbon15

    In a firewall rule, the user/group mapping is limited to the user's "Primary Group".  This is the first group the user is in when XG gets the list from AD, and can be viewed in the UI.

    Within a Web Policy, the user/group mapping uses all of the AD groups.  This is not viewable in the XG UI.  So if a user is a member of multiple groups when evaluating the web policy from the top rule down if either group matches then the rule is applied.

    As far as I recall, multiple user/group matching works with NTLM authentication.  I don't recall if it works with Captive Portal.  I think it works with STAS, but I am not 100% sure.

  • 0 in reply to Michael Dunn

    FYI : It definitely does work with STAS.

Reply Children
No Data