Unable to use multiple AD groups for web filtering.

Question

We have created two AD groups 'Allow gmail' & 'Allow facebook' and imported both into Sophos. The user U1 is the member of both groups and the primary group is 'Domain Users' in AD. Then we created two separate web filter policies for 'Allow gmail' & 'Allow facebook'. When the user U1 logon only the 'Allow gmail' is applied and access to facebook is blocked. If we remove U1 from either of the groups, the remaining policy works fine. So, How can keep U1 member of multiple AD groups and apply the corresponding web-filter policy for each group.

This thread was automatically locked due to age.

M8ey · Answer

I added the users to the groups in AD so the XG automatically imports them via STAS and sets group. 
 
 Then the web policies kick in as they are applied to the groups. 
 The only part you might need to monitor is if a user needs an elevation to a new group as STAS will think he stays in the old so you need to remove the user from Users and get them to log out and back in then STAS picks up the new setting.

Ronak Sheth · Answer

Hi Vinod, 
 As per the current XG architectur, AD users can bee associate with any one single firewall group. When an AD user belong to multiple groups, XG map the user's group based on the group's order by searching the group list following the top-down approach, the first group that matches is considered the user's group and the corresponding group policies are applied to the user. For detail understanding refer below KB article. 
 
 Good Luck!!! 
 Regards, Ronak.

Aditya Patel · Answer

Hi Minh , 
 
 In an nutshell, one user can only be associated with one group . So you have to manage them individually.

Michael Dunn · Answer

In a firewall rule, the user/group mapping is limited to the user's "Primary Group". This is the first group the user is in when XG gets the list from AD, and can be viewed in the UI. 
 Within a Web Policy, the user/group mapping uses all of the AD groups. This is not viewable in the XG UI. So if a user is a member of multiple groups when evaluating the web policy from the top rule down if either group matches then the rule is applied. 
 As far as I recall, multiple user/group matching works with NTLM authentication. I don't recall if it works with Captive Portal. I think it works with STAS, but I am not 100% sure.