The sync of user groups and removing users and groups in Active Directory should also reflect in ASG.
Daniel, This actually is done in Astaro, but in different ways. For SSO, the object synced to the Astaro isn't consulted. Instead, direct queries to AD are cached for five (maybe 15?) minutes by the proxy.
If you want users created in Astaro from the AD to be synced with changes in AD, I think that only happens if you configure syncing on the 'Advanced' tab. I don't think Astaro will delete a user no longer in AD. It might change the user to "Inactive" though if the user has been de-activated in AD.
Cheers - Bob
Sorry for any short responses! Posted from my iPhone.
Because a function so useful and of great request by the community does not receive attention for Astaro? Other models of appliance as SonicWall and FortiNet implement this function ... date to be implemented in ASG? [:(]
Web Security: Transparent Proxy with Transparent Authentication (SSO)
It is so easy, and so much more functional to do AD-SSO in Standard mode, I don't understand why anyone would want this, Daniel. Do you have a customer insisting they only want the limited functionality offered by the Transparent mode?
Cheers - Bob
Sorry for any short responses! Posted from my iPhone.
Hey - I'll add my $.02 to this discussion for what it is worth. It will take a little explaining, so It will be a little lengthy. Here it goes:
All devices being equal, I would agree with Bob's viewpoint (AD/eDir SSO has far greater functionality and utility value with standard mode, so why would you want to do it in transparent mode?)
However, all devices are not equal - specifically the new generation of mobile devices. We have recently had an influx of Apple IOS devices (iPads, iPhones, iPods), and these devices with IOS 5 and up DO NOT cooperate at all with proxy settings. While Apple did provide an OS level proxy setting, MANY (and I mean probably the majority) of the apps DO NOT heed this proxy setting and will attempt to communicate over good old port 80 or 443. This makes standard mode useless for these devices (unless setting up a gazillion static addresses and making tons of firewall exception rules is your idea of fun). I have heard (but have no firsthand experience) that Android OS devices behave in a similar fashion.
My only recourse to make these work on our school network and still be able to filter them is to make a separate wireless subnet and then place that in transparent mode. The obvious disadvantage is all the loss of user based logging capabilities unless authenticated as well as a reliable user authentication method (transparent mode only allows the browser-based pop-up with a "countdown timer" and client mode authentication. Since there is no Astaro client for IOS, we are left with the browser authentication. I attempted to use this, but the countdown timer is impractical for use in a K-12 school district. Set it too short and it is annoying and disrupts classroom activities. Set it too long and you are at risk of having the device change hands and grant the next user rights levels of the previous (do I need to go into the problems that could ensue if a student picked up an iPad that still had a teacher/administrator countdown active on its IP address).
Anyway - sorry for the long-winded post, but I think it illustrates why some of us feel the need for a SSO or a better authentication method for transparent proxy (I'd be happy with an IOS client app for Astaro). These devices are gaining wildly in popularity (especially in schools!) and are not going to go away - just increase in numbers.
Scoob, what advantage would AD-SSO offer in those scenarios over Transparent with Authentication set to something like 40000 seconds?
Cheers - Bob
