Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 4 answers
  • Subscribers 34 subscribers
  • Views 14750 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to use multiple AD groups for web filtering.

Vinod V

We have created two AD groups 'Allow gmail' & 'Allow facebook' and imported both into Sophos. The user U1 is the member of both groups and the primary group is 'Domain Users' in AD. Then we created two separate web filter policies for  'Allow gmail' & 'Allow facebook'. When the user U1 logon only the 'Allow gmail' is applied and access to facebook is blocked. If we remove U1 from either of the groups, the remaining policy works fine. So, How can keep U1 member of multiple AD groups and apply the corresponding web-filter policy for each group. 



This thread was automatically locked due to age.
  • 0

    Hi Vinod,

    As per the current XG architectur, AD users can bee associate with any one single firewall group. When an AD user belong to multiple groups, XG map the user's group based on the group's order by searching the group list following the top-down approach, the first group that matches is considered the user's group and the corresponding group policies are applied to the user. For detail understanding refer below KB article.

    Good Luck!!!

    Regards, Ronak.

  • 0 in reply to Ronak Sheth

    Hi Ronak,

    I have the same problem with Vinod. So, could you please advice any way to do Vinod's concept?

    Thanks,
    Minh

  • 0 in reply to Minh Pham

    Hi Minh ,

     

    In an nutshell, one user can only be associated with one group . So you have to manage them individually.

  • 0 in reply to Aditya Patel

    Why is it designed this way? This makes it very restrictive and difficult to apply users to rules when they are part of multiple AD groups. If a user is a member of 10 groups, you can only take advantage of one of the groups they are in? What if the user is sync'd to XG - not showing up on the XG in the group that you need them to be in?

  • 0

    I think there's a bit of confusion in this, I too thought you got one group, the group your user was mapped too on the XG, and that was it. However, you aren't.

    I don't know if it is any different if you use NTLM, we exclusively use STAS, but as long as your user is in the group that your firewall rule uses to map to your web policy you can have other AD groups in that policy (as long as you have imported them).

    For example, we've a site with AD groups for Twitter and Youtube access along side the usual Staff and Student groups. The users all show as being in either Staff or Students in the XG users list. I've imported the Twitter and Youtube AD groups into the XG and in my web policy I've mapped these two groups to permit the relevant categories before the Staff and Student block lists. In the filter logs I can see the right people being reported in the respective groups.

    I stumbled across this totally unexpectedly - I was pleasantly surprised when I did though.

  • 0 in reply to carbon15

    In a firewall rule, the user/group mapping is limited to the user's "Primary Group".  This is the first group the user is in when XG gets the list from AD, and can be viewed in the UI.

    Within a Web Policy, the user/group mapping uses all of the AD groups.  This is not viewable in the XG UI.  So if a user is a member of multiple groups when evaluating the web policy from the top rule down if either group matches then the rule is applied.

    As far as I recall, multiple user/group matching works with NTLM authentication.  I don't recall if it works with Captive Portal.  I think it works with STAS, but I am not 100% sure.

  • 0 in reply to Michael Dunn

    FYI : It definitely does work with STAS.

  • 0 in reply to S248

    In AD I simply created 3 groups (as many as I needed) User / Manager / Administrator

     

    Then I added the users to the respective groups. In STAS I set it to only import those three groups - not the user OUs.

    Then my web policies are applied to those groups - so no Facebook etc to the user group but allow to Managers etc.

     

    So between groups, Global Blacklists etc most users get what they need and I control usage fine. Its quite easy.

    The one I haven't worked out is VPN users as they need to be local users due to the multiple group issue.

  • 0 in reply to M8ey

    When you say "Then I added the users to the respective groups." did you add the users to the group in Active Directory or did you add the users to the group via the XG GUI?

  • 0

    Hi Vinod,

    it's very easy to do.

     

    Generate one proxy policy with different rules.

    For Example

    Rule one, that is limited to the group STANDARD with the Activity “limited access” and action allow.

    Rule two, that is limited to the group FACEBOOK with the Activity “limited access” & “facebook access” and action allow.

    Rule three, that is limited to the group GMAIL with the Activity “limited access” & “gmail access” and action allow.

     

     

    Put USER1 in ActiveDirectory group STANDARD, the USER2 in group STANDARD AND FACEBOOK and the USER3 in STANDARD & GMAIL.

     

    So USER1 have standard access, the USER2 have standard access + Facebook and USER3 have standard access + Gmail.

     

    Did a setup like these some hours ago.

     

    Alexander Fuchs

     

    IT System Admiral

    IT Technology Senior Evangelist