Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 1339 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Protection - SSO Transparenter Modus

Rico_97

Hallo liebe Community,

 

ich weiß, es gibt schon einige Threads zu dem Thema, jedoch haben mir diese nicht wirklich weitergeholfen, da auch einige schon ein paar Jahre alt sind.

 

Ich setze derzeit eine Sophos UTM mit der Version 9.603-1 bei uns im Unternehmen ein. Mein Ziel war es, den Proxy über die SSO AD Authentifizierung zu konfigurieren, damit ich im AD Sicherheitsgruppen erstellen kann und den Zugriff auf bestimmte Webseiten auf Userebene einzuschränken.

Die Sophos konnte ich reibungslos in meine Domäne integrieren und alle Tests funktionieren auch wunderbar. Auch die DNS Namensauflösung der Sophos mit dem FQDN  in beide Richtungen funktioniert auf meinen Test Clients, welche natürlich auch in der Domäne sind.

Was ich jetzt probiert habe:

Unter Web Protection -> Web Filter Profiles ein neues Profil erstellt, die jeweiligen Testclients in die allowed Networks gezogen, den Transparenten Modus aktiviert und die AD SSO Authentifizierung aktiviert. Außerdem noch den Haken "block access on authentification failure"

 in den HTTPS Einstellungen hab ich Decrypt und Scan eingestellt.

Dann habe ich eine neue Policy angelegt und dort nur die im AD zuvor konfigurierte Sicherheitsgruppe mit meinen Testusern hinzugefügt.

Zum Schluss eine Filter Action erstellt die erstmal alles erlaubt.

 

Melde ich mich jetzt an einem der Clients an, mit einem Benutzer aus der Sicherheitsgruppe, dann erkennt der Proxy die AD Anmeldung nicht. im Web Filter Live Log ist user"" und group"" auch leer. 

 

Was mache ich hier noch falsch?



This thread was automatically locked due to age.
Parents
  • 0

    I use Standard Mode with AD SSO authentication, and it works.   The authentication process is triggered by the proxy sending a statuscode="407" response, asking for credentials.  This response has no username or domain.   Sometimes it will appear more than once.   When authentication completes, the browser sends the request again, the proxy lets the request through, and the log entry returns the status code from the intended server including username and domain.   From your report, I guess you are never seeing username or domain in the logs, but I wanted you to understand that some entries with missing usernames will be normal.

    (I also use Transparent Mode, but I use it with Authentication=None.)

    The article has some useful detail about the expected message exchange for Transparent mode.

    community.sophos.com/.../120666

     

    Are you using a bridge-mode connection?   There is a known limitation that Bridge Mode prevents Transparent Mode AD SSO from working correctly.   I tried to find the KB article, but I was not successful.   This entry in the Ideas list has responses with two possible workarounds, which I have not read

    https://ideas.sophos.com/forums/17359-sg-utm/suggestions/3344386-enable-transparent-use-in-bridged-mode?edit=1

     

    This link on Transparent Mode may also provide some help

    https://community.sophos.com/kb/en-us/120791

    In particular, this section:

    •  SSO Authentication in Transparent Mode may fail due to an internal LAN resource (the UTM) being treated as a public URL. To resolve this issue, follows the steps in Browser configuration (Windows).
    • If an authentication event is not generated from a machine, the user will not be detected and an authentication failure event will not be triggered. Therefore, the user's traffic will match the web policy from the top to bottom and the policy without authentication will control the user's traffic to allow or deny
Reply
  • 0

    I use Standard Mode with AD SSO authentication, and it works.   The authentication process is triggered by the proxy sending a statuscode="407" response, asking for credentials.  This response has no username or domain.   Sometimes it will appear more than once.   When authentication completes, the browser sends the request again, the proxy lets the request through, and the log entry returns the status code from the intended server including username and domain.   From your report, I guess you are never seeing username or domain in the logs, but I wanted you to understand that some entries with missing usernames will be normal.

    (I also use Transparent Mode, but I use it with Authentication=None.)

    The article has some useful detail about the expected message exchange for Transparent mode.

    community.sophos.com/.../120666

     

    Are you using a bridge-mode connection?   There is a known limitation that Bridge Mode prevents Transparent Mode AD SSO from working correctly.   I tried to find the KB article, but I was not successful.   This entry in the Ideas list has responses with two possible workarounds, which I have not read

    https://ideas.sophos.com/forums/17359-sg-utm/suggestions/3344386-enable-transparent-use-in-bridged-mode?edit=1

     

    This link on Transparent Mode may also provide some help

    https://community.sophos.com/kb/en-us/120791

    In particular, this section:

    •  SSO Authentication in Transparent Mode may fail due to an internal LAN resource (the UTM) being treated as a public URL. To resolve this issue, follows the steps in Browser configuration (Windows).
    • If an authentication event is not generated from a machine, the user will not be detected and an authentication failure event will not be triggered. Therefore, the user's traffic will match the web policy from the top to bottom and the policy without authentication will control the user's traffic to allow or deny
Children
No Data
Unfiltered HTML