I am working on a ASG220 v8.308 for a client who recently added the web filter license to their unit and I'm having a very hard time getting the SSO-AD filtering working so we can limit by AD groups. I've gone back and forth with their primary support people (those that sold them the Astaro) and they have given up and said I should contact Astaro/Sophos directly so hopefully these forums will answer my questions (they only have "standard" support).
The first thing I did was made sure under network services -> DNS that the allowed networks as blank and the only forwarded was their internal DNS server. Then under Definitions and Users -> Authentication Servers -> Servers and added the domain controller. I then tested using a user on the domain and one not on the domain and the domain user authenticated correctly and listed as in the "authenticated users" group. I then went to the "Single Sign-On" tab and added the Astaro to the domain (successfully).
Everything looked good up until this point so I we added some groups in Active Directory for different access levels, one being for some users that need eBay access. In AD we added a group called "Filter-eBay" and added users to it. Then on the Astaro I went to Definitions and USers -> Users and Groups -> Groups. I added a new group called "Fitler-eBay", group type Backend, backend Active Directory. I put in a group filter of "CN=Filter-eBay,CN=Users,DC=domain,DC=local". I went back to the authentication server -> server tab and tested a user that is in the eBay filter group and one that wasn't and it correctly showed the membership.
I then turned on the web filter and using a user within the "ebay" group (which is setup to allow ebay, paypal, etc) I tried to get to eBay and I received the blocked message. I turned on the live log for web filtering and I see the issue...there is no "User" being seen:
srcip="10.0.1.63" dstip="66.201.160.87" user="" statuscode="304"
Everything looks correct as per the help file. What am I missing? It's not "seeing" the user so therefor the filters are failing which I understand but why isn't it seeing the user and how do I fix this? Right now I threw a Web Filter Profile at the top of the list called "Temp Access" that's operational mode is "Standard" but authentication is set to "None" so they at least have web access although not as limited as it should be. If i switch the authentication to Active Directory SSO, which is that I want, they get prompted over and over for a user name and password when I thought it should be as the name implies Single Sign On. Everyone has a proxy server set in their browsers and we are using the FQDN of the Astaro (which also is in DNS).
-Allan
The first thing I did was made sure under network services -> DNS that the allowed networks as blank and the only forwarded was their internal DNS server. Then under Definitions and Users -> Authentication Servers -> Servers and added the domain controller. I then tested using a user on the domain and one not on the domain and the domain user authenticated correctly and listed as in the "authenticated users" group. I then went to the "Single Sign-On" tab and added the Astaro to the domain (successfully).
Everything looked good up until this point so I we added some groups in Active Directory for different access levels, one being for some users that need eBay access. In AD we added a group called "Filter-eBay" and added users to it. Then on the Astaro I went to Definitions and USers -> Users and Groups -> Groups. I added a new group called "Fitler-eBay", group type Backend, backend Active Directory. I put in a group filter of "CN=Filter-eBay,CN=Users,DC=domain,DC=local". I went back to the authentication server -> server tab and tested a user that is in the eBay filter group and one that wasn't and it correctly showed the membership.
I then turned on the web filter and using a user within the "ebay" group (which is setup to allow ebay, paypal, etc) I tried to get to eBay and I received the blocked message. I turned on the live log for web filtering and I see the issue...there is no "User" being seen:
srcip="10.0.1.63" dstip="66.201.160.87" user="" statuscode="304"
Everything looks correct as per the help file. What am I missing? It's not "seeing" the user so therefor the filters are failing which I understand but why isn't it seeing the user and how do I fix this? Right now I threw a Web Filter Profile at the top of the list called "Temp Access" that's operational mode is "Standard" but authentication is set to "None" so they at least have web access although not as limited as it should be. If i switch the authentication to Active Directory SSO, which is that I want, they get prompted over and over for a user name and password when I thought it should be as the name implies Single Sign On. Everyone has a proxy server set in their browsers and we are using the FQDN of the Astaro (which also is in DNS).
-Allan