This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD SSO / USER GROUP NETWORK and Web Proxy (http/s) Profiles

We are using two ASG425's in HA mode.
Firmware: 8.102
Patternversion: 21617

I'm trying to implement some sort of access pattern based on a AD SSO authentification.

Therefor I've configured at least four http/s profiles.
Every profile has it's own filter assignment including a specific AD user group.
As the filter assignments the profiles itself have been configured with the matching "User Group Network" object.
But every time I try to get access with the correct user (SSO), it won't work.
For some reason the http/s log shows me that the client is using the standard profile, eventhough it does recognize the correct user and the ip is recognized too at least it does show in src ip="...".
If I replace the "network group" definition within the profile to "internal network" and leave the user group as it was, it does work.
The problem here is, as soon as I use the wrong user, the client wont go to the next profile in list, it just stops there and uses the fallback configuration.
Which means all the other profiles will be ignored except the firt profile in the list.

What am I doing wrong?
Can some give me a hint.
Does the "User Group Network" object work within the web security option?

This thread was automatically locked due to age.

0 Undel over 14 years ago

https access log
2

011:04:13-20:01:55 Astaro201 httpproxy[9050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.10" dstip="198.78.205.126" user="" statuscode="200" cached="0" profile="REF_ghwfTGXqNs (1)" filteraction="REF_iixYCNqBDH (1)" size="16565" time="8 ms" request="0x83a2108" url="welcome.hp-ww.com/.../x-javascript"

2011:04:13-20:01:55 Astaro201 httpproxy[9050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.10" dstip="198.78.205.126" user="" statuscode="200" cached="0" profile="REF_ghwfTGXqNs (1)" filteraction="REF_iixYCNqBDH (1)" size="23732" time="17 ms" request="0x83a3388" url="welcome.hp-ww.com/.../x-javascript"

2011:04:13-20:01:59 Astaro201 httpproxy[9050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.10" dstip="209.85.149.148" user="" statuscode="200" cached="0" profile="REF_ghwfTGXqNs (1)" filteraction="REF_iixYCNqBDH (1)" size="730" time="3352 ms" request="0x8414948" url="fls.doubleclick.net/activityi;src=2305757;type=hpcom559;cat=hpcom619;ord=1;num=8487546979043.357

2011:04:13-20:01:59 Astaro201 httpproxy[9050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.10" dstip="46.228.164.11" user="" statuscode="200" cached="0" profile="REF_ghwfTGXqNs (1)" filteraction="REF_iixYCNqBDH (1)" size="43" time="84 ms" request="0x83a2108" url="r.turn.com/.../beacon

2011:04:13-20:01:59 Astaro201 httpproxy[9050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.10" dstip="209.85.149.96" user="" statuscode="302" cached="0" profile="REF_ghwfTGXqNs (1)" filteraction="REF_iixYCNqBDH (1)" size="42" time="118 ms" request="0x83a3388" url="www.googleadservices.com/.../

2011:04:13-20:01:59 Astaro201 httpproxy[9050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.10" dstip="217.163.21.39" user="" statuscode="200" cached="0" profile="REF_ghwfTGXqNs (1)" filteraction="REF_iixYCNqBDH (1)" size="43" time="151 ms" request="0x841be00" url="ad.yieldmanager.com/pixel

2011:04:13-20:01:59 Astaro201 httpproxy[9050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.10" dstip="66.235.132.232" user="" statuscode="200" cached="0" profile="REF_ghwfTGXqNs (1)" filteraction="REF_iixYCNqBDH (1)" size="43" time="3693 ms" request="0x841e110" url="met1.hp.com/.../s12217328008520

2011:04:13-20:01:59 Astaro201 httpproxy[9050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.10" dstip="74.125.232.90" user="" statuscode="200" cached="0" profile="REF_ghwfTGXqNs (1)" filteraction="REF_iixYCNqBDH (1)" size="42" time="173 ms" request="0x83a3388" url="googleads.g.doubleclick.net/.../

2011:04:13-20:02:02 Astaro201 httpproxy[9050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.10" dstip="66.151.153.10" user="" statuscode="200" cached="2" profile="REF_ghwfTGXqNs (1)" filteraction="REF_iixYCNqBDH (1)" size="10964" time="3003 ms" request="0x8414948" url="hp-www.baynote.net/.../javascript"

2011:04:13-20:02:02 Astaro201 httpproxy[9050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.10" dstip="74.125.232.91" user="" statuscode="200" cached="0" profile="REF_ghwfTGXqNs (1)" filteraction="REF_iixYCNqBDH (1)" size="43" time="3263 ms" request="0x83baf78" url="ad.doubleclick.net/activity;src=2964791;type=hpcom779;cat=hpcom893;ord=1;num=50440851

2011:04:13-20:02:35 Astaro201 httpproxy[9050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.10" dstip="87.250.250.3" user="" statuscode="200" cached="0" profile="REF_ghwfTGXqNs (1)" filteraction="REF_iixYCNqBDH (1)" size="6205" time="3036 ms" request="0x83a2108" url="ya.ru/.../html"

2011:04:13-20:02:35 Astaro201 httpproxy[9050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.10" dstip="" user="" statuscode="200" cached="1" profile="REF_ghwfTGXqNs (1)" filteraction="REF_iixYCNqBDH (1)" size="2593" time="2 ms" request="0x841be00" url="yandex.st/.../css"

2011:04:13-20:02:35 Astaro201 httpproxy[9050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.10" dstip="" user="" statuscode="200" cached="1" profile="REF_ghwfTGXqNs (1)" filteraction="REF_iixYCNqBDH (1)" size="11045" time="1 ms" request="0x83a3388" url="yandex.st/.../x-javascript"

2011:04:13-20:02:35 Astaro201 httpproxy[9050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.10" dstip="" user="" statuscode="200" cached="1" profile="REF_ghwfTGXqNs (1)" filteraction="REF_iixYCNqBDH (1)" size="72174" time="13 ms" request="0x841e110" url="yandex.st/.../x-javascript"

2011:04:13-20:02:35 Astaro201 httpproxy[9050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.10" dstip="217.73.200.221" user="" statuscode="200" cached="0" profile="REF_ghwfTGXqNs (1)" filteraction="REF_iixYCNqBDH (1)" size="43" time="15 ms" request="0x8414948" url="www.tns-counter.ru/.../gif"

2011:04:13-20:02:35 Astaro201 httpproxy[9050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.10" dstip="77.88.21

As you can see from

severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.10" dstip="198.78.205.126" user="" statuscode="200" cached="0" profile="REF_ghwfTGXqNs (1)"

Astaro don't bother if user really has the right to access Internet or to what group he belongs.

I've attached logical scheme of our lab

0 BAlfson over 14 years ago

In the https access log, the user is not identified by SSO. Please show a pic of the edit of the Proxy Profile for 192.168.3.0/24. Also, please show a pic of the edit of the backend group that's in a Filter Assignement used in the Profile.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Undel over 14 years ago

HTTP/S is only configured on ASG with IP 192.168.6.100.
ASG in 192.168.3.0/24 is used only as DHCP server and for IPSec tunnel. HTTP/S and authentication is turned off on this ASG.
DHCP Server sets user's DNS server as 192.168.6.100 and user's browser is configured to use 192.168.6.100 as proxy.

I've added screenshots in ZIP archive

astaro_sso.zip
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 14 years ago

I just ran across this. I can't read the zip file, but in AD-SSO mode, this is a common problem:
user's browser is configured to use 192.168.6.100 as proxy.

The answer is to force the use of Kerberos, instead of NTLM, by pointing the browsers at an FQDN that resolves to 192.168.6.100. Check out the KnowledgeBase article Configure HTTP-S Proxy with AD-SSO.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 jjohnston62 over 14 years ago in reply to BAlfson

Is it possible to make this work (AD Groups determining filter actions) with the default mode as transparent? This is for a K-12 district - they do not want to set proxies if they don't have to.

Also - just to clarify - we do not have VLANs for separate traffic between students and teachers, but we need different actions dependent upon the AD group membership. This is possible also?

Thanks,

Jon J

[Update - This is all working now. Primary problem was that someone had edited filter categories to include a bunch of other categories and things were always being filtered.. for example "Weapons" included Social networking, etc. etc. etc. so it was confusing during testing.]
Cancel
Vote Up 0 Vote Down

Cancel