Active Directory SSO Authentication in Transparent Proxy Mode

In our previous article, Sophos UTM and Active Directory step-by-step integration guide, we discussed configuring AD Single Sign-On authentication when running Sophos UTM in Standard Proxy Mode.

It may interest you to know that Sophos UTM also allows you to make use of Active Directory SSO Authentication in Transparent Proxy Mode.

When deploying AD SSO in Transparent Mode, there are a couple of limitations you need to know about, otherwise you could spend a lot of time trying to troubleshoot authentication issues.

There are two important concepts:

• Only a basic HTTP request can be used to authenticate using AD SSO in transparent mode
• Subsequent traffic will be authenticated from the authentication cache for up to 300 seconds.

Authenticating in Transparent Mode

According to the Sophos documentation:

Only "standard" HTTP requests can be authenticated through the proxy when using AD/SSO in Transparent Mode. This works properly when your browser is making a standard (non HTTPS) web request, but may not work for other applications or services listed below:

• HTTPS
• Any URL with a parameter
• AJAX requests
• Any application that does not contain "Mozilla" in the User Agent string (non browser)

This presents a challenge, since a huge portion of the public Internet is now encrypted with HTTPS, including the primary home page for most users - Google.

If your home page is set to Google, authentication will not occur. Since you are not authenticated the request will be blocked, even if your user account has been granted access in the policies.

At least the browser makes you aware of this. Any application that attempts to consume Internet resources (such as iTunes or Skype) before successful authentication will silently fail.

The not-so-elegant work around for this is to have your users manually browse to a site like https://bing.com

NOTE: Even with this method the user might experience a single rejected request that is resolved when the user attempts the connection for a second time. This appears to be browser related and I have had mixed results across my range of test devices.

Subsequent requests & cached authentication

Again referring to the Sophos Documentation here:

However, in UTM F/W >= 9.111, the proxy will use the last successful cached authentication for the same user, when non-standard web requests (HTTPS) are made, or when a non-browser application makes a web request. This feature will prevent further authentication challenges from the proxy so long as there is an initial (successful) standard HTTP request which has been authenticated.

The explanation is fairly clear. When possible, a HTTP request will re-authenticate any requests that can't use the cached authentication.

In environments where the user is constantly browsing a mixture of HTTP and HTTPS content this approach works quite well. However, with the increased portion of the web that is now solely accessible over HTTPS, this approach could fall short if the cache goes stale. Authentication is valid for 300 seconds.

Tracing AD SSO Authentication in Transparent Mode

Below is a packet capture on a client device that is attempting to use and authenticate transparently.

When the client starts the browser and attempts to connect to a HTTPS site, we see the following.

We can see many packets going back and forth from the client device to the site itself. As far the client is concerned there is no UTM to explicitly proxy through. In standard proxy mode you would see a status code 407 proxy authentication required request being returned but we don't see that here. Sophos UTM just returns the normal block page to the user.

With a HTTP connection, the initial request goes to the site, Sophos UTM intercepts the requests, and we see some packets between the UTM and the client. Once the UTM has authenticated the user, the traffic is allowed through without the explicit standard proxy requirement. Instead of the expected 407, authentication is achieved using a status code 401.

Affects on logging and reporting

Once a user is authenticated, Sophos UTM logs the username in the web filtering log and Fastvue Sophos Reporter matches the traffic to the user's Active Directory object, enabling easy reporting on users, departments, security groups, offices and companies. You can therefore mix and match standard and transparent proxy users in your environment without needing to do anything special for uniform reporting.

The only potential issue is that the deny count for transparent proxy users will be artificially higher (for allowed sites) on account of the initial authentication request requirement.

Conclusion

Sophos UTM's Active Directory SSO Authentication in Transparent Proxy Mode offers a good alternative to using browser authentication or installing the agent. As long as you are aware of these few nuances, it's a very workable solution.

In a domain environment where you can use group policies to set user home pages, you can easily force the initial HTTP connection, making the rest a breeze.

Sophos have also released UTM 9.4 that includes the Sophos Transparent Authentication Suite (STAS) which can improve the transparent authentication experience further. It involves an agent installed on the Active Directory server that communicates authentication status details with the UTM. We will cover STAS further in a future article.