Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
Junior Member
Join Date: Feb 2006
Location: Westminster, CO
Posts: 13
#1 (permalink)  
Old 09-16-2010, 07:24 PM
Question Best Home Configuration

I have an ASG home license with 4 laptops, 4 iDevices, and a few other devices. In the past, I've setup basic transparent proxy and some basic web filter rules. Then I added mine and my wife's laptops to the "adult" group using a statically assigned IP based on our MAC addresses. This worked pretty good for quite some time and then the firewall PC melted.

I got and old PC from work and loaded ASG and restored the ASG configuration from a backup, but nothing worked. No traffic whatsoever. When I use a fresh install, everything works great. It looks like I'll have to reconfigure everything.

My question is... What is the best home configuration? Is there a simple way to authenticate users to the firewall so I don't have to use MAC addresses? I don't have an AD server (all mac & linux), or an LDAP server. It has to be easy, as my wife is not tech savvy. It also has to be fairly transparent because we use our laptops both at work and home.

Thanks for any advice.
Reply With Quote
Moderator
Join Date: Jul 2001
Location: southern California
Posts: 12,052
#2 (permalink)  
Old 09-16-2010, 08:56 PM
Default

Hi, did the new machine have at least the same # of NICs as the old configuration?

Are you sure you got the NICs in the right order after the import?

Yes, I believe you can authenticate users by adding them in Astaro's 'Users' section, and configuring the proxy to authenticate, but it's been a long time since I've done it so perhaps someone could explain better.
It's probably in the manual too.

Barry
__________________
http://BlogSec.net
http://JobOyster.com
http://DealBert.net
IT Consultant specializing in high-performance Web Infrastructure and Security.
Astaro End-user since v1.x
  • ASL 9.2x, HP DL360G5 - FW, IPS, VPNs
  • ASL 9.2x, 2 Dell 1950's as WAF/proxy w HA
  • UTM 9.1x, Atom n270, 2GB RAM, 2 Intel GigE
    Netgear GS108T gigE switch & Astaro AP30 Access Point with 4 VLANs.
    60/60mbit FiOS internet.
  • Pending - UTM 9.2x, i5-4670, 4GB RAM, 2 Intel GigE
    Needs new NIC drivers before deploying
Reply With Quote
jetkins's Avatar
Senior Member
Join Date: Aug 2007
Location: Austin, TX
Posts: 444
#3 (permalink)  
Old 09-30-2010, 04:17 PM
Default

Quote:
Originally Posted by tvuolo View Post
Is there a simple way to authenticate users to the firewall so I don't have to use MAC addresses? I don't have an AD server (all mac & linux), or an LDAP server. It has to be easy, as my wife is not tech savvy. It also has to be fairly transparent because we use our laptops both at work and home.
As Barry says, you can add local user accounts on the Astaro without needing an external authentication server.

You can then allow specific users the ability to override the web proxy filter by adding them to the "Users/Groups allowed to bypass blocking" list at the bottom of Web Security --> HTTP/S --> URL Filtering
__________________
UTM9 home license on a Core2 Duo E6700 / 4GB RAM / On-board Broadcom, Intel PRO/1000 GT, and Intel PRO/1000 MT Gbit NICs
Reply With Quote
jetkins's Avatar
Senior Member
Join Date: Aug 2007
Location: Austin, TX
Posts: 444
#4 (permalink)  
Old 10-01-2010, 06:45 PM
Default

I just tried this, and while it works, it's very tedious because the user is prompted to authenticate and provide a reason for every blocked page; there is no persistence of authentication.

I also tried adding an exception rule to skip URL checking for specified users/groups, but got the same result. I tried logging in to the user portal, then retried a blocked site - same result.

Is this working as designed? It seems broken - if you have specified that a particular user should skip the URL checks, then it shouldn't be prompting for a password every time because it shouldn't be checking the URL.
__________________
UTM9 home license on a Core2 Duo E6700 / 4GB RAM / On-board Broadcom, Intel PRO/1000 GT, and Intel PRO/1000 MT Gbit NICs
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,320
#5 (permalink)  
Old 10-01-2010, 09:54 PM
Default

Jetkins, Watch the HTTP Live Log to see if the user is being identified - I bet it shows user="" and just the IP.

Tvuolo, you can use the Proxy in "Transparent with authentication" mode. On the 'Advanced' tab, you can change the 'Authentication timeout' from the standard 900 seconds to a longer time if desired.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
jetkins's Avatar
Senior Member
Join Date: Aug 2007
Location: Austin, TX
Posts: 444
#6 (permalink)  
Old 10-04-2010, 06:11 PM
Default

Quote:
Originally Posted by BAlfson View Post
Jetkins, Watch the HTTP Live Log to see if the user is being identified - I bet it shows user="" and just the IP.
You're absolutely right, Bob. Wierd thing is it shows user="" even when I access the User Portal where I have a persistent cookie that allows me access without being prompted to authenticate.

Am I doing something wrong here? How else does one authenticate to the proxy prior to requesting a page? If the user portal can recognize my persistent cookie, why can't the proxy? I'm running in Transparent mode, if that makes a difference.
__________________
UTM9 home license on a Core2 Duo E6700 / 4GB RAM / On-board Broadcom, Intel PRO/1000 GT, and Intel PRO/1000 MT Gbit NICs
Reply With Quote
jetkins's Avatar
Senior Member
Join Date: Aug 2007
Location: Austin, TX
Posts: 444
#7 (permalink)  
Old 10-04-2010, 06:23 PM
Default

Quote:
Originally Posted by jetkins View Post
I'm running in Transparent mode, if that makes a difference.
So I guess I just answered my own question - in order to allow authentication, I would have to run in Transparent with Authentication mode. Duh.
__________________
UTM9 home license on a Core2 Duo E6700 / 4GB RAM / On-board Broadcom, Intel PRO/1000 GT, and Intel PRO/1000 MT Gbit NICs
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 12:12 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.