I have a default rack with all of the controls installed and configured. I basically want most of my users to use this default rack. The default racks web content control is setup to block certain sites. I setup a second virtual rack and only installed the web content control. I customized this control to bypass all blocking. I then setup a policy for the new rack and assigned an AD user to it. However, when I logon to my AD network as this user it uses the default rack controls.
I have configured and sucesfully tested the Remote AD server under the User Directory control. I have also succesfully installed the AD Lookup Server.
I also don't see any sign of the user showing up in my reports. What am I doing wrong?

Thanks,
Jim

Seems to me that the new rack is not being applied. Is this rack enabled under policy manager and set to live under custom policy?

Can you tell us a bit about your Active Directory setup?

Is it SBS or 2000 or 2003? Is it a single domain or multiple forests?
Are you running a single User OU or multiple OUs?

If you are not running SBS, make sure you disable the windows firewall otherwise the AD lookup server cannot query the machine to see who is logged in (which means it won't match your custom policy rule)

Thanks for the reply. Yes, the policy is enabled and set to live. The web control is also turned on in this rack.

I am running W2K3 Server Enterprise Edition with one domain and a single user OU. The firewall is not enabled on the server, however, I use Symantec Client Firewall on my workstations. I have tried disabling this for up to 1/2 hour and it still did not recognize my custom rack and use the new web content control settings.

Maybe you could explain a little more how the AD Lookup tool works. I have used other products that use similiar technology and do not need access to the workstation. They have a service that runs on the server that does ip to username resolution from the system log files. If the Untangle product does need access to the workstations, what port / service are you using? I also read somewhere that it could take up to 15 minutes after a user logs in to recognize the username and apply the rack assigned to that user. Is that true?

Any other ideas on what could be going on?

Thanks for you help,
Jim

Hi Jim--

We are aware of a bug for the configuration you described that is probably what is frustrating your efforts. We are working to address it in the next release. Would you like to help us as beta tester?

Yes, I would be very interested in becoming a beta tester. Please let me know what I need to do.

Can you also explain to me in a little more detail what the glitch is? Is it something to do with AD? Is there someway I can work around it?

Thanks,
Jim

Hi Jim--

I'll drop you an email when the beta is ready, which should be very soon. Sorry to say there are no workarounds-- the heart of the problem is really that our solution was implemented with SBS/AD in mind, and so there are various issues with Win2k3/AD. Hopefully we'll get them addressed in the beta....

Hang in there!

Ok, I'll be anxiously waiting.

Thanks,
Jim

Hi Jim--

I'll drop you an email when the beta is ready, which should be very soon. Sorry to say there are no workarounds-- the heart of the problem is really that our solution was implemented with SBS/AD in mind, and so there are various issues with Win2k3/AD. Hopefully we'll get them addressed in the beta....

Hang in there!
Does the new version now fully support W2K3 AD integration with multiple racks and policies defined by user? In addition does the new version support properly display the W2K3 AD user in ther reports?

Thanks,
Jim

Hi jthren--

We are still doing internal testing with win2k3/AD and have hit a few snags :(

It looks like something is fundamentally different with win2k3/AD that we unfortunately still have not sorted out... it is in the QA team's queue, though.

Sorry I don't have a better update right now.

While I don't want to belabor this anymore than necessary, I think it's necessary to note that I asked about this months ago and was told it would be fixed in the next version. I would think with the % of businesses that are running Windows Server and AD that this would be a very high priority on your list of fixes. It is not feasible for large companies that use DHCP to do ip to user mappings or to create custom users to define custom rack settings (which are the only ways I'm aware of getting this to work). In addition anyone using AD uses security or distribution groups to manage access control. Without this capability it really limits your product to small scale operations. I had been holding off on purchasing a web filter from another vendor but I may have to reconsider due to this unresolved issue. If you have a timeline on when this may be fixed, please let me know.

Thanks,
Jim

I'd like to second the request for this to be considered high priority. I have a client who runs two call centers with about 50 seats each. The operations are 24/7, so tracking IPs is not very meaningful. SBS is not a viable option. They are currently on a w2k3 domain.

I think they would be willing to pay for the AD integration in the reports, but it would have to work in their existing environment. I can't help but think that this is a pretty common situation and that a lot of potentially paying customers are sitting on the fence waiting for you to get this working.

Thanks for the feedback, both of you... As I mentioned, it was our original intention to get things working with Win2k3 in addition to SBS, but MS's implementation of AD is sufficiently different between these two products that we are having difficulty.

A couple of things to note, however, since you've told me a little more about your selection criteria:
- Untangle originally targeted Small Business Server + AD because our solution in general is designed with small to medium sized businesses in mind. We are not the best fit in the "large company" scenario, where you tend to find larger win2k3/AD implementations, many different user groups and even multiple forests.
- About groups-- our current design doesn't support using group selection for policy enforcement or access control; instead, you must select individual users to apply custom policies or define access privileges. Again, this was designed with smaller numbers of users in mind.

I'm sorry that I'm not able to commit right now to a timeline for making our AD solution a better fit for larger enterprises or more involved AD configurations. Our goal is still to sort out Win2k3/AD as an initial step in this direction.

I hope this helps....

So getting Win2k3/AD working is being actively debugged and could be fixed at any time, but support for more advanced/complicated active directory configurations is out of scope for at least the near future. Is that correct?

All I really need is to be able to turn IP addresses into user names so that managers can use the reports. So should I check back in tomorrow, next week or next month? Any guesses as to the timeframe for the initial win2k3/AD step?

I understand who you are targeting, but I think you are missing the potential for a large client base by supporting W2K3 AD. The services your box provides are very rich in features and impressive but it really needs to support a larger user base. Outside of what we've already stated, even in small business applications it common for users to bounce from one computer to another and the ip to user mapping just doesn't bode well in that scenario.

I have to smaller offices where I'd love to use your product but it's a must that I have control based directly on AD users and groups.

Please keep me informed on some sort of release date.

Thanks,
Jim

I currently have a solution that provides active directory Authentication through our proxy content filter.

I have yet to try out Untangle, what Operating system does it run under?

Samba might be the solution, and then allow the users to create filter sets that match up with existing or new AD groups. This would allow a set of users to be filtered in different ways. Our current solution is through K12USA.com SecureSchool, Networks & More Inc.

I like some of your reports better, but until you can authenticate with Active directory better, I don't see us using Web Filter. Even if I have a hard time printing out the reports, it is nice to look up by username, and also see the IP address they viewed the website with. Sometimes a user spoofs with another username, but having the IP with the username helps to narrow things down a bit. Especially when dealing with students.

With thin clients with terminal services moving in, it looks like IP addresses won't matter much, so all filtering will need AD w2k3 authentication.:confused:

I agree that Server 2003/R2 AD Integration should be a high priority. This is the only real issue that would make it reasonable for us to move from the free to the Professional version. Compatibility with Server 2008 will be needed within no more that three months after the OS finally ships ... whenever that will be. :)

I'm planning a concurrent session presentation on Untangle at the Georgia Educational Technology Conference (GaETC) in November and I'm sure this will be a critical issue even for small school systems that will most interested in this product.

I also agree, as one of those 'sitting on the fence' this level of integration with MS systems is pretty much make or break.

I'm also looking at ISA, but even though there are a few modules available that do some of the things untangle does but nothing as all encompassing as your software in a single box configuration.

Some manufacturers (read celestix) divide ssl vpn and put it in a different box, I believe this is more of a money making thing than anything else and I'm waiting to see how untangle develops.

Bump and additional vote for AD support beyond SBS.

I have been banging my head against the wall trying to get this to work only now to find out "never mind".

We bought and use the professional package. At 70 users, I don't consider us a "large" company. We are definately in the small to medium range. Luckily I have AD integration working with the Portal, otherwise I would question our purchase of the professional package.

I just installed this product and talked the customer into buying the professional support package so that they could integrate with AD. They only have 45 users, but multiple servers for their needs. Using SBS was not an alternative because of the project requirements. Now after getting everything installed and working through the minor issues, I hear that there is no way to integrate with AD in anything other than SBS. As an MSP, I think I should have been aware of that when we offered AD integration based on Untangle's statement that it was included in the professional package. The feature list did not clarify that it only worked with SBS AD.

It is only a matter of time before the customer finds out that they are not getting what they continue to pay for. Is there anything I can do to help your developers fix this issue? This is a spin-off from a Fortune 100 company and would be one hell of an endorsement to have if the product worked the way that they anticipated. Now I feel like I have egg on my face.

If you are talking about the AD integration for the Remote Access Portal, that works with all AD. If you are talking about the AD integration for policy management and reporting, that is a hit and miss at this time.

The customer thought that with the AD integration they would be able to monitor employee use. Not the case since that part is not working.

There are also apparent issues with the remote access. I have been unsuccessful at getting the device to connect to the AD to pull user accounts for authentication. They are not using this yet because they are still on the 3M VPN and using 3M equipment. Once they purchase their own desktops, this feature will be a requirement. But it looks like I will have to somehow create individual accounts within the Untangle for Remote Access use, or just use the OpenVPN which would have been free.

I am working with the IT Director for 3M to find solutions to these issues. We had hoped that the device would be able to handle the requirements without the addition of a PIX VPN concentrator or similar device, but without the AD integration, I see no alternative but to purchase the Cisco as well as ISA server so that user access can be tracked. That defeats the intent of the Untangle device. Granted, it is still protecting the network against harmful spam and malware, but the customer's faith in the product will be severely diminished when they find that these two functions will not work with their subscription.

Ok. I think I was misinformed on the Remote Access Portal. It seems after reading the wiki that the RAP only provides the ability for remote users to access their desktops and facilitates support through RDP sessions. To allow users to remove laptops from the office and access file shares, it would be preferential to use the OpenVPN functionality. Am I understanding this correctly?

Well, actually both features will allow you to have home users access network shares.
Here is the info on RAP and accessing shared files:
http://wiki.untangle.com/index.php/Remote_Access_Portal#Example:_Creating_a_Bookmark_ To_a_Network_Share
And for VPN you would just export the hosts/networks you want people to be able to access, setup firewall rules to block access to certain points if necessary, and then users can browse to resources they need.
So you really have your option. For some people VPN would be easiest, others would rather use the RAP and network share bookmarks.

I am thinking something along the lines of what I am more familiar with. For our company network, we use a Cisco VPN Concentrator. This allows the user to open an application to authenticate against the network. It then resides in the system tray and uses something similar to a TUN adapter to allow the connection to the main network. The users can then access their drives through My Computer instead of through the browser.

The user experience is then similar to if the user was in the office. Granted, it is much slower. But in this particular case in which the Untangle is installed, we configured the network as full gigabit complete with CAT6 STP to each workstation and CAT6 STP patch cables. Their only limiting factor will be the T1 internet connection coming in to the network. Ah, the fortunes of being involved in the construction of the building and the network from the ground up!

My understanding of the RAP is that the users would basically have bookmarks in the browser which would connect them back to their drives and/or desktops. I don't want to jump to the conclusion that the users would be confused by the extra step, but with 45 users, the odds are that a few would have issues with performing tasks differently depending on whether they were in the office or not. The easiest solution is the most consistent user experience. It avoids confusion and reduces training issues. Besides, nearly all users have laptops with docking stations. It is those laptops which they would use to access network resources from either location.

I may make my money on support, but I have enough customers that I can afford to keep support limited by keeping consistency for users. At last count, I support about 300 users.

I should add that we are not using Terminal Server licensing. Because of issues with employees installing unapproved apps (Yahoo messenger or their IM du jour, WeatherBug, et al), I prefer to limit a user's damage to their own equipment. I would rather stay away from granting them RDP or VNC connectivity to anything which would end up being a shared device. In fact, I disabled RDP for all user accounts when they were created to prevent this from ever being an issue.

Several users are already using applications with known spyware because they like the widget functionality of them regardless of the risks. It is not my company where I can enforce software restrictions to prevent this sort of software, but I can limit the spread by making each user the only victim of their own actions.