Web Security: Transparent Proxy with Transparent Authentication (SSO)
There is now a transparent proxy, but to have authentication requires a manual login screen for users - which is far from transparent.
A transparent proxy with SSO is almost essential, I would say.
TRANSPARENT WITH SSO (you would notice that there is an option of TRANSPARENT WITH AUTHENTICATION which requires users to logon), I will appreciate it if Astaro could add another option of TRANSPARENT WITH SSO. TRANSPARENT alone is good but does not capture user name but only IP addresses.
This is scheduled for our UTM 9.2 release later in 2013. Stay Tuned!
This would be a great feature! I like the transparent mode, to allow devices access to the internet that are not active directory, but they still get filtered. However, my AD devices I wish I could report on them by user!
It is simple to solve this, just an agent installed on the Active Directory monitoring user authentication and passing it to the appliance in a readable format. But for Sophos / Astaro, this feature does not seem to be important, especially for customers with large parking stations and systems.
Used to work with server AD auth on fortigate, can´t believe that a great product like astaro doesn´t have this feature.
Sonicwall, Fortinet, Watchguard ... all have this feature, with agent installed directly in Active Directory ... Sophos will even backwards? This feature would be very welcome in version 9.1 ....
Any news on this subject?
Bob Alfson commented
Two years ago, Christian asked if there was a competing product with this capability. Bluecoat does it, and their approach is widely documented, so it appears to be something that Sophos should do with the UTM.
Erik Waibel commented
Tthe new generation of mobile devices do not work with standard mode. We have recently had an influx of Apple IOS devices (iPads, iPhones, iPods), and these devices with IOS 5 and up DO NOT cooperate at all with proxy settings. While Apple did provide an OS level proxy setting, MANY (and I mean probably the majority) of the apps DO NOT heed this proxy setting and will attempt to communicate over the standard web port 80. This makes standard mode useless for these devices. I have heard (but have no firsthand experience) that Android OS devices behave in a similar fashion.
Placing the ASG in transparent mode allowsthem to access the internet, but results in the loss of user based logging capabilities unless authenticated. The problem is, of the two current transparent mode methods only one works with IOS and it is lacking. Since there is no Astaro client for IOS, we are left with the browser-based pop-up with a "countdown timer" . The countdown timer is impractical for use in a K-12 school district.
At the very least an Astaro client app for IOS would be a big improvement.
There is an agent available for transparent authentication with astaro 8. As far as transparent SSO care to post some screenies as well as logs of said transparent SSO authentication taking place?
Daniel Gurgel commented
Sonicwall also has an agent for communication between the AD Server and Appliance, maybe this feature facilitates the configuration of a general ... Captive Portal Authentication (Wireless) version 9 could also have this support
Daniel Gurgel commented
At least for Active Directory, this is a feature that can not miss in version 9. Unacceptable ... PAC configuration is not a practical solution and has several limitations as to use.
This feature is really useful and the team needs to rethink and use the new version 9 of the ASG.
krell hunter commented
As a Web Filter this should absolutely be added to the feature list.
I agree, this will be the reason that we go away from it. All of the other options we are looking at have a full transparent SSO authentication feature.
Yeah, I think this is a great idea!!! I had a barracuda and replaced it with an Astaro unit. The only thing I miss about the Barracuda is the AD agent.
IMHO the AAA in 8.200 isn't as elegant as the Barracuda AD agent solution.
AFAICT the Barracuda Agent scans the Security event log for login and logout events and forwards the username and IP address information to the Barracuda unit when some one logs in or out.
Implementing this for Astaro should be a piece of cake. There are a couple free open source windows log monitor and forwarding agents out there like snare. 90 percent of the work is done, all thats left is filter just the login and logout events in the security log and forward them to the astaro. To make it as simple as possible the agent could maintain a txt file of all the currently logged in users and their IP addresses and scp that txt file to the astaro when it changes or when an admin forces an update on the agent from the AD server.
Marco Wolf commented
With 8.200 comes the AAA (Astaro Authentication Agent) which will achieve this goal.
Stephen W commented
Barracuda's Web Filter has a single sign-on while in transparent mode. It requires an agent on the AD Servers to verify User Logon and IP.
Web Security seems to be lacking. The current Active Directory SSO has flawless and doesn't always work correctly. I always end up having to switch back to Transparent Mode in order to make the client happy with the product.
This is technically not so easy to achieve. Are there competitor products who offer this functionality or is this just "wishful thinking"?
Besides, where should the user name information come from? What environment are you specifically talking about (AD, eDirectory, nothing at all)?
Olusina Daramola commented
The reason for the above are for users' benefit and for the benefit of Astaro so as to make it a strong but complete box that provides unparallel features when compare with other similar tool.