Documente Academic
Documente Profesional
Documente Cultură
com/kb/en-us/120791
120791 10 Jun 2016 14 people found this helpful English | Espaol | Italiano | | Franais | Deutsch
Overview
This article outlines the conguration steps and requirements for using Active Directory (AD) and Single Sign On (SSO) in Transparent
Mode.
What to do
Prerequisites
Limitations of AD SSO
UTM conguration
Browser conguration (Windows)
Internet Explorer and Chrome
Firefox
Browser conguration (Mac)
Related information
Feedback and contact
1 de 9 18/11/2017 18:46
How to congure Active Directory (AD) Single Sign On (SSO) in Transp... https://community.sophos.com/kb/en-us/120791
Sophos UTM
What to do
Prerequisites
Active Directory Authentication must be congured and function properly as an Authentication Service on the UTM.
See, Sophos UTM v9.2 & AD Authentication.
All workstations/computers must be able to resolve the UTM's internal address, both by hostname (http://myutm) and FQDN (http://myutm.domain.lo-
cal).
The WebProxy in Transparent Mode with no authentication must work before conguring the authentication.
NOTE for UTM v9.200/9.201 : When AD SSO in Transparent Mode is enabled on the UTM, the Web Application Firewall (WAF) will report the following error
since the services are mutually exclusive:
Cannot enable Web Application Firewall when one or more Web Filter Profiles are using ActiveDirectory
SSO in transparent mode.
This is due to the UTM having to listen on port 80 for both the WAF and a Transparent Mode proxy conguration, which is currently not
supported. See, Sophos UTM: Transparent AD SSO conicts with WAF, User Portal or SSL VPN
Limitations of AD SSO
2 de 9 18/11/2017 18:46
How to congure Active Directory (AD) Single Sign On (SSO) in Transp... https://community.sophos.com/kb/en-us/120791
You can authenticate only standard HTTP requests through the proxy when using AD/SSO in Transparent Mode.
This only works when your browser makes a standard (non HTTPS) web request, and may not work for the applications and services listed
below:
HTTPS
Any URL with a parameter
AJAX requests
Any application which does not contain Mozilla in the User Agent string (non browser)
However, in UTM F/W >= 9.111, the proxy will use the last successful cached authentication for the same user, when non-standard web re-
quests (HTTPS) are made, or when a non-browser application makes a web request.
This feature will prevent further authentication challenges from the proxy as long as there is an initial (successful) standard HTTP request
which has been authenticated.
UTM conguration
To use this feature, you must enable Web Filtering on the UTM.
Do the following:
3 de 9 18/11/2017 18:46
How to congure Active Directory (AD) Single Sign On (SSO) in Transp... https://community.sophos.com/kb/en-us/120791
NOTE: SSO Authentication in Transparent Mode may fail due to an internal LAN resource (the UTM) being treated as a public URL. To resolve
this issue, follows the steps in Browser conguration (Windows).
4 de 9 18/11/2017 18:46
How to congure Active Directory (AD) Single Sign On (SSO) in Transp... https://community.sophos.com/kb/en-us/120791
. Check the box for Automatically detect intranet networkand then click Advanced.
. Add the internal FQDN of the UTM in the Websites: section and then click Close.
5 de 9 18/11/2017 18:46
How to congure Active Directory (AD) Single Sign On (SSO) in Transp... https://community.sophos.com/kb/en-us/120791
. Both IE and Chrome share the same network/proxy settings, therefore both should now be able to authenticate successfully through the HTTP Proxy
with SSO.
Firefox
6 de 9 18/11/2017 18:46
How to congure Active Directory (AD) Single Sign On (SSO) in Transp... https://community.sophos.com/kb/en-us/120791
NOTE: Mac (OS X) does not support NTLM authentication, only Kerberos.
Therefore, if you are using Mac (OS X) clients on your AD network and would like them to be authenticated with Single Sign On (SSO) in
Transparent Mode through the proxy, your AD server must be congured for Kerberos authentication.
If a device trying to go through the proxy does not support Kerberos or NTLM, a browser window pops up for you tologin with your AD cre-
dentials.
7 de 9 18/11/2017 18:46
How to congure Active Directory (AD) Single Sign On (SSO) in Transp... https://community.sophos.com/kb/en-us/120791
In the client proxy settings, make sure that the client is accessing the proxy via its FQDN hostname instead of via the IP address (hostname will try Ker-
beros rst if supported, IP address will try NTLM).
The hostname congured in the client's proxy settings must exactly match the UTM's keytab entries, and is case-sensitive.
For example, if the client connects to the proxy using UTM.DOMAIN.LOCAL, but the UTM's keytab contains utm.domain.local, Kerberos will fail to au-
thenticate.
There is no way to manually specify which authentication method to use, or force Kerberos.
You can only setup and allow the client to use both methods; the client decides which is used.
Related information
Conguring HTTP/HTTPS proxy access with AD SSO with a Sophos UTM
8 de 9 18/11/2017 18:46
How to congure Active Directory (AD) Single Sign On (SSO) in Transp... https://community.sophos.com/kb/en-us/120791
Did this article provide the information you were looking for?
Every comment submitted here is read (by a human) but we do not reply to specic technical questions. If you need technical support
please post a question to our community. Alternatively for licensed products open a support ticket.
9 de 9 18/11/2017 18:46