How to congure Active Directory (AD) Single Sign On (SSO) in Transp... https://community.sophos.

com/kb/en-us/120791

How to congure Active Directory (AD) Single Sign On (SSO) in Transparent

Mode

120791 10 Jun 2016 14 people found this helpful English | Espaol | Italiano | | Franais | Deutsch

Overview
This article outlines the conguration steps and requirements for using Active Directory (AD) and Single Sign On (SSO) in Transparent
Mode.

The following sections are covered:

What to do
Prerequisites
Limitations of AD SSO
UTM conguration
Browser conguration (Windows)
Internet Explorer and Chrome
Firefox
Browser conguration (Mac)
Related information
Feedback and contact

Applies to the following Sophos products and versions

1 de 9 18/11/2017 18:46
How to congure Active Directory (AD) Single Sign On (SSO) in Transp... https://community.sophos.com/kb/en-us/120791

Sophos UTM

What to do

Prerequisites
Active Directory Authentication must be congured and function properly as an Authentication Service on the UTM.
See, Sophos UTM v9.2 & AD Authentication.

All workstations/computers must be able to resolve the UTM's internal address, both by hostname (http://myutm) and FQDN (http://myutm.domain.lo-
cal).

All workstations/computers must be connected to the AD Domain.

The WebProxy in Transparent Mode with no authentication must work before conguring the authentication.

NOTE for UTM v9.200/9.201 : When AD SSO in Transparent Mode is enabled on the UTM, the Web Application Firewall (WAF) will report the following error
since the services are mutually exclusive:

Cannot enable Web Application Firewall when one or more Web Filter Profiles are using ActiveDirectory
SSO in transparent mode.

This is due to the UTM having to listen on port 80 for both the WAF and a Transparent Mode proxy conguration, which is currently not
supported. See, Sophos UTM: Transparent AD SSO conicts with WAF, User Portal or SSL VPN

Limitations of AD SSO

2 de 9 18/11/2017 18:46
How to congure Active Directory (AD) Single Sign On (SSO) in Transp... https://community.sophos.com/kb/en-us/120791

You can authenticate only standard HTTP requests through the proxy when using AD/SSO in Transparent Mode.
This only works when your browser makes a standard (non HTTPS) web request, and may not work for the applications and services listed
below:

HTTPS
Any URL with a parameter
AJAX requests
Any application which does not contain Mozilla in the User Agent string (non browser)

However, in UTM F/W >= 9.111, the proxy will use the last successful cached authentication for the same user, when non-standard web re-
quests (HTTPS) are made, or when a non-browser application makes a web request.

This feature will prevent further authentication challenges from the proxy as long as there is an initial (successful) standard HTTP request
which has been authenticated.

UTM conguration

To use this feature, you must enable Web Filtering on the UTM.
Do the following:

. In Web Admin, go toWeb Protection> Web Filtering> Global.

. To enable the Web Filter, toggle the Web Filtering status switch to green.
. In the Allowed networks section, add your allowed networks.
. Set the Operation mode: to Transparent Mode.
. Set Default Authentication: to Active Directory SSO.
. Click Apply to save the changes.

3 de 9 18/11/2017 18:46
How to congure Active Directory (AD) Single Sign On (SSO) in Transp... https://community.sophos.com/kb/en-us/120791

NOTE: SSO Authentication in Transparent Mode may fail due to an internal LAN resource (the UTM) being treated as a public URL. To resolve
this issue, follows the steps in Browser conguration (Windows).

Browser conguration (Windows)

Internet Explorer (IE) and Chrome

. In Internet Explorer, go to Internet Options > Security > Local intranet.

. Click Sites.

4 de 9 18/11/2017 18:46
How to congure Active Directory (AD) Single Sign On (SSO) in Transp... https://community.sophos.com/kb/en-us/120791

. Check the box for Automatically detect intranet networkand then click Advanced.

. Add the internal FQDN of the UTM in the Websites: section and then click Close.

5 de 9 18/11/2017 18:46
How to congure Active Directory (AD) Single Sign On (SSO) in Transp... https://community.sophos.com/kb/en-us/120791

. Both IE and Chrome share the same network/proxy settings, therefore both should now be able to authenticate successfully through the HTTP Proxy
with SSO.

Firefox

. Open Firefox and in the URL address eld type about:cong.

. Search for network.automatic.
. Click the setting for network.automatic-ntlm-auth.trusted-uris
Enter the same FQDN for the UTM as listed in step 4 of the IE/Chrome browser conguration and then click OK.

6 de 9 18/11/2017 18:46
How to congure Active Directory (AD) Single Sign On (SSO) in Transp... https://community.sophos.com/kb/en-us/120791

Browser conguration (Mac)

NOTE: Mac (OS X) does not support NTLM authentication, only Kerberos.
Therefore, if you are using Mac (OS X) clients on your AD network and would like them to be authenticated with Single Sign On (SSO) in
Transparent Mode through the proxy, your AD server must be congured for Kerberos authentication.

If a device trying to go through the proxy does not support Kerberos or NTLM, a browser window pops up for you tologin with your AD cre-
dentials.

Checking for Kerberos or NTLM Support

7 de 9 18/11/2017 18:46
How to congure Active Directory (AD) Single Sign On (SSO) in Transp... https://community.sophos.com/kb/en-us/120791

In the client proxy settings, make sure that the client is accessing the proxy via its FQDN hostname instead of via the IP address (hostname will try Ker-
beros rst if supported, IP address will try NTLM).

The hostname congured in the client's proxy settings must exactly match the UTM's keytab entries, and is case-sensitive.
For example, if the client connects to the proxy using UTM.DOMAIN.LOCAL, but the UTM's keytab contains utm.domain.local, Kerberos will fail to au-
thenticate.
There is no way to manually specify which authentication method to use, or force Kerberos.
You can only setup and allow the client to use both methods; the client decides which is used.

Related information
Conguring HTTP/HTTPS proxy access with AD SSO with a Sophos UTM

Feedback and contact

If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Article appears in the following topics

Sophos UTM 9 > Web Protection > Weblter, Proles
Sophos UTM 9 > Appliances > UTM-Hardware
Sophos UTM 9 > Appliances > UTM-Software
Sophos UTM 9 > Appliances > UTM-Virtual Appliance

8 de 9 18/11/2017 18:46
How to congure Active Directory (AD) Single Sign On (SSO) in Transp... https://community.sophos.com/kb/en-us/120791

Did this article provide the information you were looking for?

Every comment submitted here is read (by a human) but we do not reply to specic technical questions. If you need technical support
please post a question to our community. Alternatively for licensed products open a support ticket.

9 de 9 18/11/2017 18:46