Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

Authentication: Web Filter User-to-IP Mapping

We need the user's ip mapping. Once a user is authenticated against the http proxy, the user source ip should be mapped in the user's object, so that we can create policy per user

121 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    gabryel976gabryel976 shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    11 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • BatzeBatze commented  ·   ·  Flag as inappropriate

        In addition to the Advanced Threat Protection we would like to know which user needs assistence with their virus/trojan problems.

      • Jaco FourieJaco Fourie commented  ·   ·  Flag as inappropriate

        It has been some time that this has been requested. We need this also ASAP. We need to be able to show who did what on the network not just the IP addresses. We use DHCP to hand out IP's, we have more than 4000 ip's so it is a huge mission to figure out who did what. If we can map the IP to the user based on the authentication at the UTM using any method not using the agent only as we have mobile phones as well as Linux desktops that can not use the agent. When will this feature be available ?

      • Martin HerbertMartin Herbert commented  ·   ·  Flag as inappropriate

        I need this feature too. We need to add snat to our users for access a special external network. Because we use dhcp, we need to edit our snat's after changing user workstations to hold the functionality. The webproxy of astaro reads the ip from the usersource/userdirectory (edir/ads). It would be very helpful to add this ip to the remotely authenticated user object.
        Thank you

      • Angelo ComazzettoAdminAngelo Comazzetto (Product Ninja, Sophos Features & Ideas Laboratory) commented  ·   ·  Flag as inappropriate

        Hi Gabryel. Note that isn't the same thing. In this case, the user request for this feature is to have the proxy authentication map over to a user object for other uses. We in 8.200 will map IP's to users if they make use of the Astaro Authentication Agent, but simply authing against the HTTP proxy won't trigger the same thing in the user object.

      • Marco FeuersteinMarco Feuerstein commented  ·   ·  Flag as inappropriate

        Okay we also need this feature.
        We want User-Based Paketfilter Rules instead of IP-based.
        So if Astaro would identify the user over the Proxy Function it would be awesome!

        Our workaround in the moment is a dial in via OpenVPN, also from inside of the network. So we can configure user-based policies for special needs.

      • MMMM commented  ·   ·  Flag as inappropriate

        it´s urgent needed like Cisco´s way to give users the ability for flexible useraccess to internal ressources.

      • gabryel976gabryel976 commented  ·   ·  Flag as inappropriate

        If you wanna configure a packet filter rule based on user and NOT ip address, there is NO chance to have it right now. Having a great authentication module, there are many customers with dozen of PCs that have NOT a fixed IP address configure on each PC, but only DHCP, that would like to allow whole internet traffic in based of who is surfing internet.

        Many competitors have this feature already, and in my opinion it's a key feature, since ASTARO is able to map in the middleware (so in the packet filter rules) the user's IP address is provided by the ASG, such ROAD WARRIOR IPSEC VPN with IKE config turned (IKE CONFING is a kind of DHCP over VPN) or SSL VPN. If you configure an STATIC IP address in a USER object, this ip address will be mapped in the middle once the IPSEC connetion will be triggered. At the same time, would be very useful and confortable to have the same thing when a user authenticates himself agaist the HTTP PROXY, since the HTTP PROXY knows user and IP address is trying to estabilish a connection with it.

      • Bob AlfsonBob Alfson commented  ·   ·  Flag as inappropriate

        What problem are you trying to address? How is this different from existing functionality?

      Feedback and Knowledge Base