Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

Web Security: Transparent Proxy with Transparent Authentication (SSO)

There is now a transparent proxy, but to have authentication requires a manual login screen for users - which is far from transparent.

A transparent proxy with SSO is almost essential, I would say.

194 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Burgess Hill SchoolBurgess Hill School shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    Stephen WStephen W shared a merged idea: Web Security and ADS SSO - Need AD User control without the need of a Pac File or Proxy  ·   · 
    Olusina DaramolaOlusina Daramola shared a merged idea: TRANSPARENT WITH SSO  ·   · 

    22 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Alex LuongoAlex Luongo commented  ·   ·  Flag as inappropriate

        So, it's 2014 and no UTM 9.2. I am on 9.108-23 now. Still waiting for this great tiny feature.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Proxy is dead. There are way too many products, applications, protocols, which are proxy unaware. We desperately need Sophos UTMs to support transparent authentication against active directory and over encrypted protocol.

      • ScottScott commented  ·   ·  Flag as inappropriate

        This would be a great feature! I like the transparent mode, to allow devices access to the internet that are not active directory, but they still get filtered. However, my AD devices I wish I could report on them by user!

      • DMGDMG commented  ·   ·  Flag as inappropriate

        It is simple to solve this, just an agent installed on the Active Directory monitoring user authentication and passing it to the appliance in a readable format. But for Sophos / Astaro, this feature does not seem to be important, especially for customers with large parking stations and systems.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Used to work with server AD auth on fortigate, can´t believe that a great product like astaro doesn´t have this feature.

      • DMGDMG commented  ·   ·  Flag as inappropriate

        Sonicwall, Fortinet, Watchguard ... all have this feature, with agent installed directly in Active Directory ... Sophos will even backwards? This feature would be very welcome in version 9.1 ....

      • Bob AlfsonBob Alfson commented  ·   ·  Flag as inappropriate

        Two years ago, Christian asked if there was a competing product with this capability. Bluecoat does it, and their approach is widely documented, so it appears to be something that Sophos should do with the UTM.

      • Erik WaibelErik Waibel commented  ·   ·  Flag as inappropriate

        Tthe new generation of mobile devices do not work with standard mode. We have recently had an influx of Apple IOS devices (iPads, iPhones, iPods), and these devices with IOS 5 and up DO NOT cooperate at all with proxy settings. While Apple did provide an OS level proxy setting, MANY (and I mean probably the majority) of the apps DO NOT heed this proxy setting and will attempt to communicate over the standard web port 80. This makes standard mode useless for these devices. I have heard (but have no firsthand experience) that Android OS devices behave in a similar fashion.

        Placing the ASG in transparent mode allowsthem to access the internet, but results in the loss of user based logging capabilities unless authenticated. The problem is, of the two current transparent mode methods only one works with IOS and it is lacking. Since there is no Astaro client for IOS, we are left with the browser-based pop-up with a "countdown timer" . The countdown timer is impractical for use in a K-12 school district.

        At the very least an Astaro client app for IOS would be a big improvement.

      • HescominsoonHescominsoon commented  ·   ·  Flag as inappropriate

        There is an agent available for transparent authentication with astaro 8. As far as transparent SSO care to post some screenies as well as logs of said transparent SSO authentication taking place?

      • Daniel GurgelDaniel Gurgel commented  ·   ·  Flag as inappropriate

        Sonicwall also has an agent for communication between the AD Server and Appliance, maybe this feature facilitates the configuration of a general ... Captive Portal Authentication (Wireless) version 9 could also have this support

      • Daniel GurgelDaniel Gurgel commented  ·   ·  Flag as inappropriate

        At least for Active Directory, this is a feature that can not miss in version 9. Unacceptable ... PAC configuration is not a practical solution and has several limitations as to use.

        This feature is really useful and the team needs to rethink and use the new version 9 of the ASG.

      • DanDan commented  ·   ·  Flag as inappropriate

        I agree, this will be the reason that we go away from it. All of the other options we are looking at have a full transparent SSO authentication feature.

      • KSavitzKSavitz commented  ·   ·  Flag as inappropriate

        Yeah, I think this is a great idea!!! I had a barracuda and replaced it with an Astaro unit. The only thing I miss about the Barracuda is the AD agent.

        IMHO the AAA in 8.200 isn't as elegant as the Barracuda AD agent solution.

        AFAICT the Barracuda Agent scans the Security event log for login and logout events and forwards the username and IP address information to the Barracuda unit when some one logs in or out.

        Implementing this for Astaro should be a piece of cake. There are a couple free open source windows log monitor and forwarding agents out there like snare. 90 percent of the work is done, all thats left is filter just the login and logout events in the security log and forward them to the astaro. To make it as simple as possible the agent could maintain a txt file of all the currently logged in users and their IP addresses and scp that txt file to the astaro when it changes or when an admin forces an update on the agent from the AD server.

      • KSavitzKSavitz commented  ·   ·  Flag as inappropriate

        Yeah, I think this is a great idea!!! I had a barracuda and replaced it with an Astaro unit. The only thing I miss about the Barracuda is the AD agent.

        AFAICT the Barracuda Agent scans the Security event log for login and logout events and forwards the username and IP address information to the Barracuda unit when some one logs in or out.

        Implementing this for Astaro should be a piece of cake. There are a couple free open source windows log monitor and forwarding agents out there like snare. 90 percent of the work is done, all thats left is filter just the login and logout events in the security log and forward them to the astaro. To make it as simple as possible the agent could maintain a txt file of all the currently logged in users and their IP addresses and scp that txt file to the astaro when it changes or when an admin forces an update on the agent from the AD server.

      • Bob AlfsonBob Alfson commented  ·   ·  Flag as inappropriate

        Interesting... I didn't see how they could do it, but the answer really was simple. Barracuda sells an "agent" that installes on the AD server. When a user signs on to the domain, the agent informs the Barracuda. Voilà - SSO!

        Now, there will be some organizations that won't allow adding such an agent, but, still, this should be a simple, elegant way to improve the functionality of Astaro.

        Great idea, Stephen!

        Cheers - Bob

      • Stephen WStephen W commented  ·   ·  Flag as inappropriate

        Barracuda's Web Filter has a single sign-on while in transparent mode. It requires an agent on the AD Servers to verify User Logon and IP.

        Web Security seems to be lacking. The current Active Directory SSO has flawless and doesn't always work correctly. I always end up having to switch back to Transparent Mode in order to make the client happy with the product.

      ← Previous 1

      Feedback and Knowledge Base