Filter Profiles
If you want to apply different policy or authentication modes to multiple networks you can create multiple filter profiles. For example on your wired network you may only have corporate computers that are integrated with AD, and therefore wish to use Standard mode with an explicit proxy and AD SSO. Your wireless network may have a browser login portal for employees to enter in their AD credentials, as well as a guest login that has limited access.
Profiles can be created on the Web Filter Profiles > Filter Profiles tab. When a web request is made, Sophos UTM will look at the source IP and apply the first profile that has a matching Allowed Network and Operation Mode. Traffic from transparent connections will only match if the operation mode is set to Transparent. Traffic redirected to the web filter with a client-side proxy configuration will match either Transparent or Standard mode profiles.
The Default Web Filter Profile is configured on the Web Protection > Web Filtering page. It is listed here to show that it is the last profile that will match. Once a profile is selected, Sophos UTM will perform authentication according to that profile and apply that profile's policy.
To create a filter profile:
-
Click the Plus icon on the upper right.
The Add Profile wizard opens.
- Enter a Name and Comment.
-
Select the allowed networks.
Select the networks that should be allowed to use the Web Filter. By default, the Web Filter listens for client requests on TCP Transmission Control Protocol port 8080 and allows any client from the networks listed in the Allowed Networks box to connect.
-
Select the allowed endpoint groups.
-
Note that when you select an operation mode that requires user authentication, you need to select the users and groups that shall be allowed to use the Web Filter. The following modes of operation are available:
-
Standard mode: In standard mode, the Web Filter will listen for client requests on port 8080 by default and will allow any client from the networks listed in Allowed Networks box to connect. When used in this mode, clients must have specified the Web Filter as HTTP proxy in their browser configuration.
Select the default authentication mode.
- None: Select to not use any authentication.
- Active Directory SSO: This mode will attempt to authenticate the user who is currently logged in to the computer as the user of the proxy (single sign on). If the currently logged in user is a valid AD user with permission to use the proxy, the authentication should occur with no user interaction. You must have configured Active Directory Single Sign-On (SSO) on the Definitions & Users > Authentication Services > Servers tab. Clients can authenticate with NTLM or Kerberos.
- Agent: Select to use the Sophos Authentication Agent (SAA). Users need to start the agent and authenticate in order to be able to use the Web Filter. The agent can be downloaded from the User Portal. See: User Portal.
- Apple OpenDirectory SSO: Select when you have configured LDAP on the Definitions & Users > Authentication Services > Servers tab and you are using Apple OpenDirectory. Additionally, you have to upload a MAC OS X Single Sign-On Kerberos keyfile on the Web Protection > Filtering Options > Misc tab for the proxy to work properly. When used in this mode, clients must have specified the Web Filter as HTTP proxy in their browser configuration. Note that the Safari browser does not support SSO.
- Basic user authentication: In this mode, each client must authenticate itself against the proxy before using it. For more information on which authentication methods are supported, see Definitions & Users > Authentication Services. When used in this mode, clients must have specified the Web Filter as HTTP proxy in their browser configuration.
-
Browser: When selected the users will be presented a login dialog window in their browser to authenticate themselves with the Web Filter. This mode allows for username-based tracking, reporting, and surfing without client-side browser configuration. Moreover, you can enable a disclaimer that is additionally displayed on that dialog window and needs to be accepted by users to be able to go on. For more information on the disclaimer, see Management > Customization > Web Messages.
Note – When using browser authentication, a pop-up will be generated from passthrough.fw-notify.net. Users should ensure passthrough.fw-notify.net is exempt from their browser's pop-up blocker.
- eDirectory SSO: Select when you have configured eDirectory on the Definitions & Users > Authentication Services > Servers tab.
Note – For eDirectory Single-Sign-On (SSO) modes, the Web Filter caches accessing IP addresses and credentials for up to fifteen minutes, for Apple OpenDirectory and Active Directory SSO it caches only the group information. This is done to reduce the load on the authentication servers. However it also means that changes to users, groups, or the login status of accessing users may take up to fifteen minutes to be reflected by the Web Filter.
If you chose an authentication mode that requires user authentication, select Block access on authentication failure to deny access to users that fail authentication.
-
Transparent mode: In transparent mode, all connections made by client browser applications on port 80 (and port 443 if SSL Secure Sockets Layer is used) are intercepted and redirected to the Web Filter without client-side configuration. The client is entirely unaware of the Web Filter server. The advantage of this mode is that for many installations no additional administration or client-side configuration is necessary. The disadvantage however is that only HTTP requests can be processed. Thus, when you select the transparent mode, the client's proxy settings will become ineffective.
Note – In transparent mode, the Web Filter will strip NTLM authentication headers from HTTP requests. Furthermore, the Web Filter cannot handle FTP File Transfer Protocol requests in this mode. If your clients want to access such services, you must open port (21) in the firewall. Note further that some webservers transmit some data, in particular streaming video and audio, over a port different from port 80. These requests will not be noticed when the Web Filter operates in transparent mode. To support such traffic, you must either use a different mode or enter an explicit firewall rule allowing them.
- None: Select to not use any authentication.
-
Active Directory SSO: This mode will attempt to authenticate the user who is currently logged in to the computer as the user of the proxy (single sign on). If the currently logged in user is a valid AD user with permission to use the proxy, the authentication should occur with no user interaction. You must have configured Active Directory Single Sign-On (SSO) on the Definitions & Users > Authentication Services > Servers tab. Clients can authenticate with NTLM (or Kerberos if Mac). For some environments additional configuration is required on the endpoint. If you are having problems with SSO in transparent mode, please see the Sophos Knowledge Base.
Note – When defining the Active Directory user group, we highly recommend to add the desired entries to the Active Directory groups box by manually entering the plain Active Directory group or user names instead of the LDAP strings. Example: Instead of an LDAP string CN=ads_group1,CN=Users,DC=example,DC=com, just enter the name ads_group1.
Note – When using Kerberos, only add groups to the Active Directory groups box, as entries for users are not be accepted by the Web Filter.
- Agent: Select to use the Sophos Authentication Agent (SAA). Users need to start the agent and authenticate in order to be able to use the Web Filter.
-
Browser: When selected the users will be presented a login dialog window in their browser to authenticate themselves with the Web Filter. This mode allows for username-based tracking, reporting, and surfing without client-side browser configuration. Moreover, you can enable a disclaimer that is additionally displayed on that dialog window and needs to be accepted by users to be able to go on. For more information on the disclaimer, see Management > Customization > Web Messages.
Note – When using browser authentication, a pop-up will be generated from passthrough.fw-notify.net. Users should ensure passthrough.fw-notify.net is exempt from their browser's pop-up blocker.
-
Full transparent (optional): Select to preserve the client source IP Internet Protocol instead of replacing it by the gateway's IP. This is useful if your clients use public IP addresses that should not be disguised by the Web Filter. The option is only available when running in bridged mode.
The available authentication modes for Full transparent are the same as Transparent. See above.
Cross Reference – For more information on configuring browser authentication in standard mode, see the Sophos Knowledge Base.
When configured to use authentication, you have the option to Block access on authentication failure. If you are using AD SSO and do not block access on failure, an SSO authentication failure will allow unauthenticated access without prompting the user. If you are using Browser authentication and do not block access on authentication failure, there will be an additional Guest login link on the login page to allow unauthenticated access.
-
-
Enable device-specific authentication.
To configure authentication modes for specific devices, select the Enable device-specific authentication checkbox. Once enabled you can click the green Plus icon to add device types and associated authentication modes.
- Click Next, or select Policies from the top of the wizard.
-
Review and create policies for your filter profile.
To create a new policy, proceed as follows:
-
Click the Plus icon on the upper right.
The Add Policy dialog is displayed.
-
Specify the following settings:
Name: Enter a descriptive name for this policy.
Users/Groups: Select the users or user groups that this policy will apply to. You can also create new users or groups. For how to add new users or groups, see Definitions & Users > Users & Groups > Users.
Time event: The policy will be active for the time period you select. Choose Always to enable the policy at all times. You can also click the green Plus icon to create a new time event. Time period definitions are managed on the Definitions & Users > Time Period Definitions tab.
Filter action: Select an existing filter action, which defines the types of web protection you want to apply in a policy. You can also click the green Plus icon to create a new filter action using the Filter Action Wizard. Filter actions can also be managed on the Web Filter Profiles > Filter Actions tab.
Comment (optional): Add a description or other information.
Advanced Settings:
- Apply this policy to requests that have skipped authentication due to an exception: You can create exceptions on the Filtering Options > Exceptions tab to e.g. skip authentication for automatic updates that cannot use authentication. Select this checkbox to apply this policy to web requests that have skipped authentication.
-
Click Save.
The new policy appears at the top of the Policies list.
-
Enable the policy.
The new policy is disabled by default (toggle switch is gray). Click the toggle switch to enable the policy. The policy is now enabled (toggle switch is green).
-
-
Click Save.
The new profile appears on the Filter Profiles list.
Important Note – When SSL scanning is enabled in combination with the transparent mode, certain SSL connections are destined to fail, e.g. SSL VPN tunnels. To enable SSL VPN connections, add the respective target host to the Transparent Mode Skiplist (see Web Protection > Filtering Options > Misc). Furthermore, to access hosts with a self-signed certificate you need to create an exception for those hosts, selecting the option Certificate Trust Check. The proxy will then not check their certificates.
To either edit or delete a filter profile, click the name of the profile in the list.