Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1271 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Forced AD Auth & no auth exception group

jmousse
I've got an interesting puzzle. I have ASG 8.001 config'ed with forced AD auth. Everything works fine, but if I add an exception group & select no auth for it, the user gets an Astaro error message in their browser. The sites that I wanted in this group were places such as YouTube, & FaceBook where re-auth is a pain. The syntax I used was:
^https?://[A-Za-z0-9.-]*facebook.com/
^https?://[A-Za-z0-9.-]*youtube.com/
Currently I'm using a work-around by using "categories" such as 'Social Networking', but I'd prefer it locked down a little tighter.
Has anyone else run into this? Comments/suggestions?
[:S]


This thread was automatically locked due to age.
  • 0
    So, are you saying the Astaro doesn't like your expressions and tries to authenticate anyway?  If so, then try just using .facebook.com/ and .youtube.com/ instead.

    Or, do you think there's a bug with an exception for authorization?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    [QUOTE=BAlfson;156558]So, are you saying the Astaro doesn't like your expressions and tries to authenticate anyway?  If so, then try just using .facebook.com/ and .youtube.com/ instead, as Astaro now supports a bit more than standard REGEXs.

    Or, do you think there's a bug with an exception for authorization?

    Not at all. Users aren't asked to be auth'ed. There is just an error message via the ASG to the user via browser without explanation. I tried using just the syntax "facebook.com", but got the same error.

    I've downloaded live HTTP Headers for Firefox to see what's happening. I'll post the output within the next 14 hrs as well as the FW message. https://addons.mozilla.org/en-US/firefox/addon/3829/

    Unless I've mis-config'ed, it appears to be a bug.
  • 0
    Here are the two outputs. The first is from the ASG 8.001. The second is from the client running Firefox with Live HTTP Headers. It's very odd. The FW isn't picking up the URL as a no-auth exception in the exception goup.

    filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="4573" time="0 

    ms" request="0xe74acbb0" url="www.youtube.com/" exceptions="av,auth,mime" error="" 

    country="United States"
    2010:09:20-21:12:53 cyclops httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" 

    name="web request blocked" action="block" method="GET" srcip="192.168.1.100" dstip="" user="" 

    statuscode="302" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction=" ()" 

    size="4832" time="0 ms" request="0xe7450f40" url="www.bbc.co.uk/.../ticker.sjson

    jsoncallback=bbc.fmtj.net.json.model.getFeedById

    (0).callback&client=bbcfmtj&cachebuster=cb128503142241476555" exceptions="" error=""
    2010:09:20-21:13:02 cyclops httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" 

    name="web request blocked" action="block" method="GET" srcip="192.168.1.100" dstip="" user="" 

    statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" 

    filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="4573" time="0 

    ms" request="0xe74acbb0" url="www.youtube.com/" exceptions="av,auth,mime" error="" 

    country="United States"
    2010:09:20-21:13:07 cyclops httpproxy[5597]: id="0001" severity="info" sys="SecureWeb" sub="http" 

    name="http access" action="pass" method="GET" srcip="192.168.1.100" dstip="" user="" statuscode="302" 

    cached="1" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFBlockAction 

    (Default content filter block action)" size="250" time="1 ms" request="0xe74ac168" url="http://en-

    gb.fxfeeds.mozilla.com/en-GB/firefox/headlines.xml" exceptions="av,auth,url" error="" content-

    type="text/html"
    2010:09:20-21:13:08 cyclops httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" 

    name="web request blocked" action="block" method="GET" srcip="192.168.1.100" dstip="" user="" 

    statuscode="302" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction=" ()" 

    size="4636" time="0 ms" request="0xe74c7d08" 

    url="news.bbc.co.uk/.../rss.xml" exceptions="" error=""
    2010:09:20-21:13:08 cyclops httpproxy[5597]: id="0002" severity="info" sys="SecureWeb" sub="http" 

    name="web request blocked" action="block" method="GET" srcip="192.168.1.100" dstip="" user="" 

    statuscode="302" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction=" ()" 

    size="4648" time="0 ms" request="0xeb146750" 



    YouTube - Broadcast Yourself.

    GET / HTTP/1.1
    Host: YouTube - Broadcast Yourself.
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-gb,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 115
    Connection: keep-alive
    Cookie: VISITOR_INFO1_LIVE=2L9s0T3TGfE; PREF=f1=50000000&gl=US&hl=en; use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; GEO=ee1b6f1e2b8b6c7c5261693618dff066cwsAAAAzQ0GtIZNdTJgFOA==

    HTTP/1.1 403 Forbidden
    Date: Tue, 21 Sep 2010 01:12:30 GMT
    Cache-Control: no-cache
    Pragma: no-cache
    Content-Type: text/html; charset="UTF-8"
    Content-Length: 4573
    Accept-Ranges: none
    Connection: Keep-Alive
    ----------------------------------------------------------
    http://passthrough.fw-notify.net/static/default.js

    GET /static/default.js HTTP/1.1
    Host: passthrough.fw-notify.net
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
    Accept: */*
    Accept-Language: en-gb,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 115
    Connection: keep-alive
    Referer: YouTube - Broadcast Yourself.

    HTTP/1.1 200 OK
    Content-Type: text/html; charset="UTF-8"
    Pragma: no-cache
    Cache-Control: no-cache
    Content-Length: 2745
    Accept-Ranges: none
    Connection: Keep-Alive
    ----------------------------------------------------------