[9.200][DUPE] Are WAF and AD SSO Transparent Mode Mutually Exclusive?

Carrying on with my testing of 9.2 features, I recieved this warning when I tried to activate the WAF.

"Cannot enable Web Application Firewall when one or more Web Filter Profiles are using ActiveDirectory SSO in transparent mode."

Is the WAF and and AD/SSO Transparent Mode operation mutually exclusive? Is the reverse also true? With WAF enabled the UTM cannot run AD/SSO in Transparent Mode?

Cheers [:)]

0 AzRoN over 11 years ago

Currently yes it is.

The transparent AD-SSO implementation uses some redirections of client requests to then turn it into an 'explicit/standard' request so the UTM can authenticate.. however this intercepts 80 and/or 443 traffic... on all interfaces it seems.

SSL-VPN can still work!  but the WAF and AD-SSO in Transparent mode are incompatible when both enabled.

As such, when one is on, the other will complain when you attempt to also turn on the alternative function.

Apparently it'll be fixed in a future version.  Unsure of the mantis.

UPDATE: this link is worth a read!  https://community.sophos.com/products/unified-threat-management/astaroorg/f/81/t/65615

==

When in doubt, Script it out.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Michael Dunn over 11 years ago

Actually, the issue is that WAF has an exclusive lock on all interfaces, including loopback. When we start using AD SSO in transparent mode, some parts of WAF stop working (I don't know the details).

The problem is within WAF, which is why the Web Protection team (who did AD SSO) could not resolve it for 9.2 release. The teams will be working together to come up with a solution in a future release.

Mantis 30736
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel