This article outlines the configuration steps and requirements for using Active Directory (AD) and Single SingOn (SSO) in Transparent Mode.
Applies to the following Sophos product(s) and version(s)
What To Do
In version 9.2 of the UTM firmware, Active Directory (AD) Single SignOn (SSO) is now an authentication option for Transparent Mode of the Web Protection Proxy
- Active Directory Authentication must be configured and functioning properly as an 'Authentication Service' on the UTM.
- All workstations/computers need to be able to resolve the UTM's internal address both by hostname (http://myutm) and FQDN (http://myutm.domain.local).
- All workstations/computers must be joined to the AD Domain.
Note: When AD SSO in Transparent Mode has been enabled on the UTM, the Web Application Firewall (WAF) will report the following error since the services are mutually exclusive:
"Cannot enable Web Application Firewall when one or more Web Filter Profiles are using ActiveDirectory SSO in transparent mode."
This is due to the UTM having to "listen" on port 80 for both the WAF and a Transparent Mode proxy configuration, which is currently not supported. However, this will be supported in the next release of the UTM firmware (9.202).
Limitations of AD SSO
Only "standard" HTTP requests can be authenticated through the proxy when using AD/SSO in Transparent Mode. This works properly when your browser is making a standard (non HTTPS) web request, but may not work for other applications or services listed below:
- Any URL with a parameter
- AJAX requests
- Any application which does not contain "Mozilla" in the User Agent string (non browser)
However, in UTM F/W >= 9.111, the proxy will use the last successful cached authentication for the same user, when non-standard web requests (HTTPS) are made, or when a non-browser application makes a web request. This feature will prevent further authentication challenges from the proxy so long as there is an initial (successful) standard HTTP request which has been authenticated.
Where to configure: WebAdmin
Related section: Web Protection | Web Filtering | Global
To use this feature you need to enable Web Filtering on the UTM, set the 'Operation mode' to 'Transparent Mode' and set the Default Authentication to Active Directory SSO' either in the 'Default Web Filter Profile' or a custom Web Filter Profile.
- Enable the WebFilter by clicking the toggle switch so it turns green.
- Define the network(s) to be allowed.
- Define if HTTPS (SSL) traffic should be scanned, just filtered or left untouched.
- Set the 'Operation mode' to 'Transparent mode'.
- Set the 'Default authentication' to 'Active Directory SSO'.
- Click on 'Apply' to save the changes.
Browser Configuration (Windows)
Note: SSO Authentication in Transparent Mode may fail due to an Internal LAN resource (the UTM) being treated as a public URL defined in the "Internet" zone in IE's security settings. This issue is described in the Microsoft KB-303650. This issue can be resolved by the following steps:
IE and Chrome:
1: In IE, go to 'Internet Options - Security - Local Intranet'
2: Click on 'Sites' and then check the box for "Automatically detect intranet network"
3: Click on "Advanced" and add the internal FQDN of the UTM
4: Both IE and Chrome share the same network/proxy settings and so both should now be able to successfully authenticate through the HTTP Proxy with SSO.
Firefox does not assume the network and proxy settings from IE the way that Chrome does and so you will need to follow the steps below in Firefox to ensure the browser will successfully authenticate with SSO through the proxy.
- Open Firefox and in the address/URl fielf type "about:config"
- Search for "network.automatic"
- Click on the setting for "network.automatic-ntlm-auth.trusted-uris'
- Add in the same FQDN for the UTM used for IE/Chrome
Browser Configuration (Mac)
Note: Mac (OS X) does not support NTLM authentication, only Kerberos. Therefore, if you are using Mac (OS X) clients on your AD network and would like them to be authenticated with Single SignOn (SSO) in Transparent Mode through the proxy, your AD server must be configured for Kerberos authentication.
If a device trying to go through the proxy does not support Kerberos or NTLM, a browser popup will be provided so the user can login with their AD credentials.
Configuring AD Support for Kerberos
- Log in to your Active Directory domain controller.
- Run the following commands, providing the Active Directory username configured on the UTM 'Authentication Services' in the 'Bind DN' field.
- Be sure to provide the UTM's fully qualified domain name for the first command, and the UTM's hostname for the second command.
setspn -a HTTP/<myutm.domain.local> <AD username set on the UTM in Bind DN>
setspn -a HTTP/<myutm> <AD username set on the UTM in BindDN>
Checking for Kerberos or NTLM Support
- In client proxy settings, ensure the client is accessing the proxy via its FQDN hostname instead of via IP address (hostname will try Kerberos first if supported, IP address will try NTLM).
- The hostname configured in the client's proxy settings must exactly match the UTM's keytab entries, including case.
- For example, if the client connects to the proxy using 'UTM.DOMAIN.LOCAL', but the UTM's keytab contains 'utm.domain.local', Kerberos will fail to authenticate.
- There is no way of manually specifying which authentication method to use, or forcing Kerberos. You can only setup and allow the client to use both methods; the client decides which is used.
Related information / See also
- How to Configure HTTP/HTTPS Proxy Access with AD SSO on the Sophos UTM (KB 115659)
- How to Configure Active Directory (AD) Authentication on the Sophos UTM (KB 120763)
- How to Debug authentication issues on the Sophos UTM (KB 115389)