Saturday, March 23, 2013

How to setup Sophos/Astaro Web Filtering to use AD Single SignOn

How to setup Sophos/Astaro Web Filtering to use Active Directory Single Sign On

So very recently, I had a customer that wanted to block Internet usage for the users, but obviously still wanted the execs to be able to go to more sites (like finance sites, etc).  This customer is using an Sophtaro firewall (Astaro now owned by Sophos...thought that sounded better then Assphos) that I sold to them and manage.  There doesn't seem to be a lot of great documentation on how to do this, but I figured it out with a combination of built-in help files as well as the sparse online docs. 

What I'm trying to accomplish is that the client will authenticate to the firewall using their Active Directory (AD) username and password, the Sophtaro will check it against AD and depending on what AD group their in, it will apply a specific Web Filtering profile to them for less restricted browsing.

This can be done with either the standard web proxy and/or proxy profiles as needed.  In this environment, I use the default proxy in transparent mode (so that will catch web traffic for all machines on the network) and then have a separate proxy profile just for the executives.

Note: I could have gotten the same results by setting static IPs on the exec's machines, but static IPs are bad on desktops unless absolutely needed.  SSO is more elegant and flexible.

The rough steps are:
  1. Add the SSO source
  2. Add the Astaro to the AD domain
  3. Create the AD group with correct users in it.
  4. Create the Astaro group that references the AD group.
  5. Configure the Web Security settings and/or setup the proxy profile using the Astaro/AD group.
  6. Configure the client(s) to point to the proxy server on port 8080.
The detailed steps are decently well-defined by this Sophos support article.  I say decently only because the article seems to have been edited a few times and the language is occasionally "broken".

Make sure that all machines can resolve the hostname of the Sophtaro firewall.  This is the hostname defined under Management -> System Settings -> Hostname. It is crucial for SSO usage that it be exactly this hostname and not the IP address or some other FQDN..  Check out my other blog entry on how to do this simply:  How to setup public DNS record overrides on Astaro/Sophos firewall.

Now in my case, I wanted the Execs to have less restriction (so only a few users/machines) and everything ELSE to have more restriction (and later to even have a full block profile for kiosks and what not).  The way I accomplished this was to setup a Proxy Profile for Execs using the SSO functionality, but then left the default Web Filter on Transparent mode for the whole network.  This means that every other user/device will be more restricted, but the Execs will be authenticated against the profile for increased access.

I hope this helps and good luck.

Brendon
Posted by

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)