Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9.3 transparent proxy + AD SSO

Hello,

I'm trying to switch from proxy standard mode to transparent mode. Currenty use the standard mode + AD SSO for authentication and it works without any problem for over a year now. As mobile devices come into play more and more, I would like to make the configuration more comfortabel.

As soon as I switch to transparent mode I loose the user information and only the IP is shown in reports and logs. When I switch back then everything works fine again.

2016:01:27-12:56:41 fw-d00 httpproxy[11781]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.0.1.40" dstip="5.153.231.4" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="454" request="0xe1ab9000" url="www.debian.org/.../planet.png" referer="http://www.debian.org/" error="" authtime="0" dnstime="111" cattime="26367" avscantime="499" fullreqtime="74258" device="1" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko" exceptions="" category="175" reputation="trusted" categoryname="Software/Hardware" content-type="image/png"


Any hint what's missing here?


thx,

Daniel



This thread was automatically locked due to age.
Parents Reply Children
  • Hey BAlfson,

    this is not a solution. He wrotes, if he changes from standard to transparent mode, there are no user and domain traced/authenticated. we have this issue too. on standard proxy mode, the ad-sso works fine. but if we change it to transparent mode, the authentication window from windows shows up. any idea, why?

  • Check the Microsoft KnowledgeBase and boards to see if there's a way to get the Windows server to correctly answer an NTLMv1 auth request.  I bet you need to enable that in the server.  That's just a guess.

    Cheers - Bob

  • Hey Balfson,

    thanks for your guess. I solved the problem myself. the solution was to set dns name (fqdn and short) into intranet zone to authenticate with username/password. but thanks, good to know the ntlmv1 hint

  • On the command line:

    cc get http adsso_redirect_use_hostname

    If set to 1 it should use the UTM hostname when doing AD SSO and IE/FF will automatically assume it is intranet and safe.  Your client needs to be able to resolve the bare UTM name.

    If set to 0 it will use the UTM FQDN and IE/FF needs the extra configuration to allow it to authenticate without a prompt.