1. I am new to this forum, so I apologize if I am posting incorrectly.
2. I also apologize if this is a repeated question ( I could not locate answer).
3. Fairly new to Sophos (few months old), so learning as I go.
4. Setup:
1 x SG230, 3 x SG210, 1 x SG125, 1 x UTM120
UTM v 9.307-6 on all
combo of "mesh" and "hub & spoke" VPN site2site tunnels
single internal AD domain
UTM has been joined to AD domain for SSO
AD users successfully authenticate through UTM proxy using "backend" AD
5. Notes:
Maybe this is a fundamental impossibility, but it would be very helpful if the UTM would offer AD groups for computers (just like it does for AD users), and allow the group to be applied just like DNS Host etc..
The Web Filtering module is a bit difficult for me to wrap my head around, so I do realize there is a good chance I am just doing something incorrectly.
6. Goal:
When a domain computer is connected to network via Ethernet cable, we want the AD user to be able to access the internet, invisibly using UTM proxy (transparent mode & AD SSO) using "filter A". When a non-domain computer (such as a vendor) connects to our network via Ethernet cable, we want them to get the Sophos "splash page" with disclaimer and "guest user" login and then use "filter B". I realize this can be easily handled when using wireless (can therefore use the wireless network to apply that specific profile) but often wireless is not being used.
My limited understanding is that profiles allow differentiating between "IPs" such as a single host, multiple hosts, a range, or entire subnet. But going top down, once a profile matches the client, no other profiles are attempted. Policies instead match against "users', such as a local user/s and/or AD user/s.
The "guest" computers and domain computers are on the same subnet, and it seems that separating them is not going to be the best solution (ex: via DHCP reservations - so that UTM web filter profile can limit per network range). What happens is that a "guest" computer will match the "internal network" profile which is set for AD SSO, and of course, the "guest" computer cannot authenticate using AD, so prompt comes up asking for un/pw, but this need to be an AD account and not a local UTM account (we would prefer not to use AD for the "guest" user account).
Sorry for the rambling, just frustrated and trying to think of all details that may help.
Thank you.
This thread was automatically locked due to age.
