Jump to content
RESET Forums (homeservershow.com)
mattb75

Building an Active Directory infrastructure integrated with Sophos UTM and Web Filtering

Recommended Posts

mattb75

Hi all

 

I've been playing with the free Sophos UTM, Windows Server products (W2K12R2 and the Server '10' preview), and Wireless RADIUS services within WHS2011 in various different configurations for a while now and think it's time to try and join it all together!

 

I'd like to have the devices in the house connect to the wireless network using their AD credentials (my access points support WPA2 Enterprise) then have those credentials authenticate on the UTM so that all web traffic is attributed to a connected user, rather than just a device.

 

I may also enable https decrypt and scan to improve the data logs captured within UTM, but only if it is simple to deploy (ie I don't have to manually deploy a certificate onto visitors devices as they connect - perhaps I also need to consider a separate wireless network for them though?)

 

Reading through the various posts it sounds like some of you may have done something similar already and if so, do you have any tips and guides on the best way to approach this?

 

Thanks in advance

Matt

 

 

Sent from my iPhone using Tapatalk

Share this post


Link to post
Share on other sites
Drashna Jaelre

Are you using Windows Server Essentials at all? Or the Essentials Experience role?

Or the Active Directory Certificate Services (I'm not sure if that's installed or not by default, on a non-Essentials Domain Controller... sorry).

 

If you are... then the PDC/Essentials is a certificate authority, and it's CA certificate is already trusted by the domain clients. All you have to do is import the CA certificate into Sophos. All the domain clients will automatically trust the CA, and you're set. Nothing else you need to do (other than for mobile devices ... or just import it into non-domain joined clients)

 

 

I've covered this in my personal blog, but since i'm using Essentials ... it may be a bit different for you.

https://drashna.net/blog/2015/03/an-exercise-in-frustration-setting-up-web-filter-certificates-in-sophos-utm/

I also cover importing the CA cert into the clients, as well.

Share this post


Link to post
Share on other sites
mattb75

Hi Drashna

 

Thanks for replying so quickly!!

 

I've installed the Essentials Role and exported the CA Cert into the Sophos Certificates and that all works fine - thanks for the detailed guide!

 

One issue I have is that when I then try to access the UTM through the proxy it won't connect, but all other websites work (with the https decrypt and scan feature working like a dream).  I suspect I need to change another configuration as presumably it's blocking access to websites not on a standard web browsing port?

 

Are you using the UTM as your DHCP / DNS server, or are you using your Essentials server for this task and if so, what are the benefits / cons of each approach?  I'd previously used my WHS2011 server as the DHCP / DNS server and whilst it worked ok for allocating IP ranges, I could never get it to automatically update the DNS records to enable connections via the machine names rather than IP's.  Sophos seems to do this much better, and it would seem having Sophos know the machine details for DHCP also means all the machines are set up for any bespoke exceptions I need to create for Web Filtering or the Firewalls (e.g. All the Apple products getting access to iCloud, Kid's machines getting access to Origin / EA servers)!

 

Also, have you got your home system setup so that everyone uses a Domain account for all their devices (including mobile) to get onto the network, and if so what challenges have you faced?  The wife and kids having to type in a set of credentials on their iDevices each time they connect to the network isn't going to get much support!!!

Share this post


Link to post
Share on other sites
Drashna Jaelre

You're very welcome. :)

And enjoy the Essentials role. It is very nice to have.

 

 

As for the Proxy stuff, I'm not sure. It depends on the configuration exactly. 
If it is an external proxy server, then yeah, Sophos blocks all the outgoing communication except for on EXPLICITLY DEFINED ports.  I do mention that in my blog, but basically, if you add a rule to allow all internal traffic (eg, source: Internal (network), port: any, destination: any), it should allow Sophos to function more like a normal router.

 

And Sophos is running as my DHCP server, but the rest is "complicated".

Specifically, it hands out the PDC as the primary DNS. However, my PDC is forwarding DNS requests so sophos (to ensure that the IP resolution works properly for the web filtering pages).

 

As for adding DNS records, add network definitions. Make sure you include the DNS name and IP address.  You can also set the MAC address, and this will add a reservation for that IP address as well.

 

 

And yes, everyone is on the domain. However, since everyone has their own device, it is the default one selected. So it's not a bug deal. 

As for mobile devices, nope. It does require importing the CA Certificate to work properly on the wifi, which means that you need to have some sort of secure lock method (pin code, pass code, etc)

  • Like 1

Share this post


Link to post
Share on other sites
xbliss

You're very welcome. :)

 

And enjoy the Essentials role. It is very nice to have.

 

 

As for the Proxy stuff, I'm not sure. It depends on the configuration exactly. 

If it is an external proxy server, then yeah, Sophos blocks all the outgoing communication except for on EXPLICITLY DEFINED ports.  I do mention that in my blog, but basically, if you add a rule to allow all internal traffic (eg, source: Internal (network), port: any, destination: any), it should allow Sophos to function more like a normal router.

 

And Sophos is running as my DHCP server, but the rest is "complicated".

Specifically, it hands out the PDC as the primary DNS. However, my PDC is forwarding DNS requests so sophos (to ensure that the IP resolution works properly for the web filtering pages).

 

As for adding DNS records, add network definitions. Make sure you include the DNS name and IP address.  You can also set the MAC address, and this will add a reservation for that IP address as well.

 

 

And yes, everyone is on the domain. However, since everyone has their own device, it is the default one selected. So it's not a bug deal. 

As for mobile devices, nope. It does require importing the CA Certificate to work properly on the wifi, which means that you need to have some sort of secure lock method (pin code, pass code, etc)

 

Thanks for the above insights. I am in process of doing something similar and will ping this thread with specifics that are maybe different or similar. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...