7 Replies Latest reply on Feb 3, 2010 5:56 AM by ed1

    using Domain Users instead of Local User on SG720?

      Is there a way to authenticate as Domain Users on the SG720? if there is i found no way.

       

      I ask because we already have a Windows Server Domain in  place, and it would good to monitor web filtering and know which domain users are browsing where when using the Firewall Reporter.

       

      If not I will need to look for another solution for that. Thanks!

        • 1. Re: using Domain Users instead of Local User on SG720?

          Authentuication for Internet Access ? Or VPN access ?

          • 2. Re: using Domain Users instead of Local User on SG720?
            PhilM

            As Ross mentioned, the intended use may have an influence.

             

            However, you could consider installing the Internet Authentication Service (IAS) to either the domain controller or a member of the domain and this will then provide you with a RADIUS interface to your domain user accounts. As long as the element you are trying to use within your SG720 supports the idea of using RADIUS then you should then be able to hand-off the authentication request to IAS and, ultimately, the domain controller.

             

            *edit*

             

            There is also a Domain tab present in the Users menu based on what I am looking at on my 4.0.2 SG565 appliance, which would actually support the fact that native domain authentication is possible - even without a RADIUS link. Looking at the manual (p337) it says:-

             

            The Domain page allows you to specify a Windows NT domain and primary and secondary servers so that authentication can take place against the domsin contoller.

             

            Then it would appear to be a case of navigating to the PAM section of the Users screen and choosing which elements (Access Control, Web Administration, etc...) you wish to use domain authentication for.

             

            Message was edited by: PhilM on 26/01/10 16:44:56 GMT

             

             

            Message was edited by: PhilM on 26/01/10 16:56:21 GMT
            • 3. Re: using Domain Users instead of Local User on SG720?

              The Domain feature you see is capable of querying in a NT4 compatable way to see if credentials are correct.

               

              Hence a simple yah or nah is the reply in response to credential the UTM device passes through to the NT4 compatable server ( another challenge in todays age ).

               

              As such we can't really query if the user has remote access or not, as no group membership is available.

               

              Hence RADIUS is the preferred option as IAS will only authenticate approved remote VPN users.

               

              There  are changes on the road map to come regarding the UTM device and AD, and one will be the ability to obtain group membership, and as such determine if a user does have the rights to also VPN in to the corporate network without RADIUS.

              • 4. Re: using Domain Users instead of Local User on SG720?

                Re reading the post says web users...sorry.

                 

                let me confirm the actual current features in this regard and get back to you

                 

                 

                Message was edited by: Ross Camm on 1/27/10 8:42:43 PM GMT+10:00
                • 5. Re: using Domain Users instead of Local User on SG720?

                  Phil...get off version 4.0.2 and onto current is my advice 

                  • 6. Re: using Domain Users instead of Local User on SG720?

                    If you create a group

                     

                    system -> users -> groups -> new

                     

                    and give that group

                     

                    Internet Access (via. Access Controls)

                     

                    then go to

                     

                    system -> users -> PAM -> Access Control

                     

                    Authentication Method = NT Domain

                    Default Group = group created above

                     

                    then

                     

                    system -> users -> Domain

                     

                    complete the details. If you don't have a seconday server, simply duplicate the primary entries in the secondary fields.

                     

                    Finally

                     

                    Firewall -> Access Control -> Require User Authentication = checked

                     

                    Have a look at the help on this pages we well as it shows you which order access controls are parsed in.

                    1 of 1 people found this helpful
                    • 7. Re: using Domain Users instead of Local User on SG720?

                      thanks for the help