I am playing around with my new UTM 220 and am confused about the best way to configure Web Protection to make it do what I want. Background: All my servers and desktops are on a single subnet, in a single Active Directory domain. I'm happy to use Standard Mode if required, but would prefer Transparent if possible Here's my shopping list: All user web access should be authenticated with SSO Users must be a member of a specific AD group Some hosts (servers) need access to certain destinations without authentication because they're running background services that run under the Local System account and don't support proxy authentication Some web sites (social, streaming etc) are only permitted at lunchtimes and should be totally blocked at other times I'm fairly certain that what I'm trying to do can be done with a mixture of Web Filtering, Filter Profiles, Filter Actions, and Exceptions, but I can't see the light. Can some give me some pointers to the best way to achieve this? I've read Understanding Sophos Web Filtering but it didn't help me much.

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Please help with Web Filtering config

I am playing around with my new UTM 220 and am confused about the best way to configure Web Protection to make it do what I want.

Background:

All my servers and desktops are on a single subnet, in a single Active Directory domain.
I'm happy to use Standard Mode if required, but would prefer Transparent if possible

Here's my shopping list:

All user web access should be authenticated with SSO
Users must be a member of a specific AD group
Some hosts (servers) need access to certain destinations without authentication because they're running background services that run under the Local System account and don't support proxy authentication
Some web sites (social, streaming etc) are only permitted at lunchtimes and should be totally blocked at other times

I'm fairly certain that what I'm trying to do can be done with a mixture of Web Filtering, Filter Profiles, Filter Actions, and Exceptions, but I can't see the light.

Can some give me some pointers to the best way to achieve this? I've read Understanding Sophos Web Filtering but it didn't help me much.

This thread was automatically locked due to age.

0 BAlfson over 11 years ago

HTTP-S Proxy Access with AD-SSO is still written for V8.3, so some items are on a different tab in 9.2, but everything works the same. Standard mode is to be preferred for many reasons.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 vilic over 11 years ago

That should be solved with a single Web Profile (Default) with two policies:
1. Allow AD Group at lunchtime (Default Content Filter Action),
2. Allow AD Group at all times, block Social and Streaming sites (New Filter Action).

For servers a Firewall rule should be created that allows HTTP/s to Internet (or defined destinations) for their IP addresses.
Cancel
Vote Up 0 Vote Down

Cancel
0 DistantObjects over 11 years ago

Thanks for the feedback.

Bob: I've followed that very article and have SSO working fine for Standard Mode after overcoming problems with Backend groups), and Transparent Mode

Vilic: If I add a firewall rule for the servers, wouldn't Web Protection intercept the traffic? Or would the traffic bypass Web Protection all profiles were set to Standard Mode and the servers weren't configured with proxy settings?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 11 years ago

DO, refer to #2 in Rulz.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 DistantObjects over 11 years ago

Thanks BAlfson. I read the Rulz when I first joined the forum - along with hundreds of other articles on here (many of them yours, of course) - but had forgotten about it.

*Bookmarked for future reference.

Cheers
Cancel
Vote Up 0 Vote Down

Cancel