Syed Jahanzaib Personal Blog to Share Knowledge !

January 2, 2022

SANGFOR IAM – Short Notes

Filed under: SANGFOR — Tags: , , , , — Syed Jahanzaib / Pinochio~:) @ 7:25 PM

in year 2019,  We acquired SANGOFR IAM m5200 hardware device (along with 3 years support/renewal bundle) as an replacement for Microsoft EOL product ISA/TMG 2010. Since its acquisition we have overall good experience with its usage. Before its acquisition, We tested few other products like Sophos, FortiGate & other, but SANGFOR IAM was the closest replica for TMG (specially in its integration with the AD). As per our core requirements of Compliance/audit, IAM Logging details level is very impressive. It’s local support was very good and responsive & they helped us in initial demo & configuration.

As time will allow, I will try to add some guides/tips and notes for day to day task related to Sangfor IAM.


Fake Online Sessions & Forced Logged out Everyday !

Sangfor have multiple methods to integrate its authentication with the Active Directory DC. We are using LOGIN Script Method (using GPO) along with IWA integration. It works well, but it was creating one BIG issue. When the user logins to the computer, the login script via GPO triggers & the sangfor login exe sends the user login event to the sangfor & sangfor then notified about the user status. But if the user dont do proper shutdown of his workstation, then the user session shows as ONLINE for hours & in the mean while if his dhcp lease expires & some other user gets the same IP , his internet access works without any kind of authentication.

To over come the issue, we set following,

the LOG OUT ALL USERS EVERY DAY option did the trick! However it created another problem that users who donot do proper shutdown, and next when open laptops and resume windows (from hibernation actually) , they get the IAM LOGIN screen on there browser. By setting an S.O.P, we enforced users that its essential that you must properly shutdown when you leave the office, or LOGOFF/LOGIN one time.

Weird !


Troubleshooting/Analyzing TCPDUMP/TMG style traffic in SANGFOR

One of our user particular protocol (example TELNET) is not working. To check if SANGFOR is blocking it via rule, perform below actions

Goto SYSTEMS > DIAGNOSTICS > TROUBLESHOOTING

Click on SETTINGS

IN SPECIFIED IP, add your client IP here

IN PROTOCOL, select the protocol you want to troubleshoot, example telnet / TCP 23

& click Ok, Ok

Now at client end, try to connect to any telnet server & at sangfor screen press REFRESH ,


Allow Office 365 / Outlook related connectivity to Particular AD Group.

In our office, all users are joined with Active Directory Domain. (there are multiple domain with cross forest trust in our company). We have allowed limited internet facility to particular active directory group only. This year we have moved away from on-prem Lotus domino email server to cloud base Microsoft O365 solution, therefore we had to allow internet to every body who is now using Outlook. To limit the internet usage & after doing some extensive R&D & ‘internet activities’ lookup via sangfor , we created following ‘O365’ Object in URL DATABASE, and allowed it  to AD group ‘Internet_for_O365_Group’ & associate outlook users to this group. This way users who doesn’t have internet facility can still use O365 related services in a controlled manner.


*.office365.com
*.office.com
*.office.net
*.outlook.com
*.microsoft.com
*.onmicrosoft.com
*.microsoftstream.com
*.azure.net
*.azureedge.net
*.windows.net
*.live.com
*.atdmt.com
*.ytimg.com
*.windowsazure.com
*.msftidentity.com
*.msidentity.com
*.microsoftonline.com
*.msecnd.net
*.msftauth.net
*.msauth.net
*.azure.com
*.digicert.com
*.agp.com.pk
*.obsagp.com.pk
*.msftconnecttest.com
*.acompli.net
*.sharepoint.com
*.live.net
*.onedrive.com
*.msftstatic.com
*.windows.com
*.s-microsoft.com
*.passport.net
*.msocsp.com
*.msftncsi.com
*.msedge.net


More will be added as per time allow.

Regard’s
Syed Jahanzaib

%d bloggers like this: