Video Screencast Help

LDAP Authentication on SWG

Created: 13 Mar 2012 | 1 comment

Dear All,

we have a couple of SWGs (5.0.2) configured in proxy blocking mode with LDAP authentication. We've adopted the DC Interface authentication method, and we've defined a set of content/URL filtering policies based on AD groups/OUs. Domain controllers run on a win2003 o.s.
Everything is working fine except for the case hereafter described.

If we login on a machine with USER-1 (belonging to GROUP-A), the SWG proxy identifies the user, and then applies the expected policy for that user. After that we login on the same machine with USER-2 (belonging to GROUP-B), and the gateway does not recognize the user ... SWG keeps on applying the policy associated to USER-1 with the potential negative effect for USER-2 of being denied access on a set of web sistes (s)he should be allowed to visit.
If we check the SWGs' reports section (Reports -> Search -> Search by hostname), we still see on the report the first user (USER-1) associated with the machine.

I've attached an example of the SWG report: you can see that on the host named ** the last authenticated user identified by the gateway is AR-SrvAccount (an administrative user), and to that user the BLOCKAll policy has been applied which prevents Internet access. The behaviour is wrong since administrative users should be allowed access to almost every site; Internet access should be restricted only to a limited set of accounts ...

We were wondering the reason of this behaviour; it's really annoying into our environment, especially if you consider that we have a number of users (about 450-500) which accee our systems via Microsoft Terminal Services (RDP).

Can you please hel us solving ?


Comments 1 CommentJump to latest comment

fferaboli's picture


are these 2 users in your environment accessing via Terminal Services?

You probably want to check this article:

Does the Symantec Web Gateway support Microsoft Terminal Server sessions?

This other article gives you more information regarding how DCInterface identified users login in and could be helpful for troubleshooting: