Web Content Filter & AD users and groups

hortiz · March 10, 2020, 12:26pm

NethServer Version: NethServer release 7.7.1908 (final)
Module: Web Content Filter

Hi,

I’m doing my first steps with Nethserver. I’ve installed AD, Firewall and proxy and Web Content Filter. I’m using Transparent with SSL proxy.

Everything works well if I use profiles related to Firewall objects, but when I want to set filters related to Active Directory groups or users the filter does not apply.

How is it possible? I think everything is correctly configured since otherwise, it would not work well with firewall objects.

I’ve checked the “Block HTTP and HTTPS ports” option.

Thank you !

m.traeumner · March 10, 2020, 12:59pm

Hi, first welcome to the community.

To your question,
could you post some files please. squid and ufdbguard config

/etc/squid/squid.conf
/etc/ufdbguard/ufdbGuard.conf

and log files at the time you try to open a site which should be blocked, but isn’t blocked.

/var/log/squid/access.log
/var/log/ufdbguard/ufdbguard.log

Michael

mrmarkuz · March 11, 2020, 12:55am

You need to use authenticated proxy instead of transparent one to get the user/group information. Then users/groups are selectable in the Profile creation wizard.

https://docs.nethserver.org/en/v7/web_proxy.html#authenticated-mode

hortiz · March 11, 2020, 10:03am

Hi @mrmarkuz,

first of all thank you for your answer. I changed the proxy to the authenticated one, and when I try to navigate any page, the browser asks me for a username and password. I try the user AD credentials and the browser asks again for the user and password.

access.log:

1583920447.324 2 192.168.0.126 TCP_DENIED/407 4223 CONNECT accounts.google.com:443 - HIER_NONE/- text/html

The user is authenticated properly to AD and has been successfully linked to the domain.

Any Idea?

hortiz · March 11, 2020, 10:09am

Hi @m.traeumner and thank you for your answer,

I was using Transparent Proxy, now I’m checking the authenticated proxy as I replied the other post.

Do you think it is not possible to work with AD users with a transparent proxy?

Thank you!

m.traeumner · March 11, 2020, 10:21am

@mrmarkuz is right here, I didn’t think about it. A little description why it doesn’t work is here:

@mrmarkuz Any idea here?

mrmarkuz · March 11, 2020, 1:22pm

@hortiz, please check /var/log/squid/cache.log for errors.
Which OS/browser do you use? Did you try another browser?

All Windows clients must access the proxy server using the FQDN.

Another thread about auth proxy with AD:

m.traeumner · March 11, 2020, 1:44pm

I think

/var/log/squid/access.log
could also give some hints.

Leonardo_Lovera · May 12, 2021, 11:10am

hello

In yourś client set proxy with hostname not ip address.

Sorry my english is bad.

m.traeumner · May 17, 2021, 8:07am

Welcome to the community @Leonardo_Lovera.

No problem, we can understand you and most of us aren’t English native speaker.