in year 2019, We acquired SANGOFR IAM m5200 hardware device (along with 3 years support/renewal bundle) as an replacement for Microsoft EOL product ISA/TMG 2010. Since its acquisition we have overall good experience with its usage. Before its acquisition, We tested few other products like Sophos, FortiGate & other, but SANGFOR IAM was the closest replica for TMG (specially in its integration with the AD). As per our core requirements of Compliance/audit, IAM Logging details level is very impressive. It’s local support was very good and responsive & they helped us in initial demo & configuration.
As time will allow, I will try to add some guides/tips and notes for day to day task related to Sangfor IAM.
Fake Online Sessions & Forced Logged out Everyday !
Sangfor have multiple methods to integrate its authentication with the Active Directory DC. We are using LOGIN Script Method (using GPO) along with IWA integration. It works well, but it was creating one BIG issue. When the user logins to the computer, the login script via GPO triggers & the sangfor login exe sends the user login event to the sangfor & sangfor then notified about the user status. But if the user dont do proper shutdown of his workstation, then the user session shows as ONLINE for hours & in the mean while if his dhcp lease expires & some other user gets the same IP , his internet access works without any kind of authentication.
To over come the issue, we set following,
the LOG OUT ALL USERS EVERY DAY option did the trick! However it created another problem that users who donot do proper shutdown, and next when open laptops and resume windows (from hibernation actually) , they get the IAM LOGIN screen on there browser. By setting an S.O.P, we enforced users that its essential that you must properly shutdown when you leave the office, or LOGOFF/LOGIN one time.
TIPS:
- For some VIP executive users, we reserved there IP in pool which authentication method is set to MAC address login (using sangfor local users binding)
- Lease DURATION for DHCP client is set to 8 days
- Enable automatic scavenging of stale record in DNS is UNCHEKED
Troubleshooting/Analyzing TCPDUMP/TMG style traffic in SANGFOR
One of our user particular protocol (example TELNET) is not working. To check if SANGFOR is blocking it via rule, perform below actions
Goto SYSTEMS > DIAGNOSTICS > TROUBLESHOOTING
Click on SETTINGS
IN SPECIFIED IP, add your client IP here
IN PROTOCOL, select the protocol you want to troubleshoot, example telnet / TCP 23
& click Ok, Ok
Now at client end, try to connect to any telnet server & at sangfor screen press REFRESH ,
Limit Few application bandwidth usage for on per users basis
In corporate office, we have limited internet bandwidth, & policy we are allowed to block/limit the non productive internet usage. We have blocked some categories, & limit some categories bandwidth usage, e.g I have limited all Updates / Twitter / FB Live etc to 128 Kbits only on per user basis & max combined bandwidth to be used is 5 Mb (Our total internet pipe is 75Mb, so I have allowed max 5 mb overall for these categories, and our of 5 Mb max 128kb can be given to each user for these categories)
Allow Office 365 / Outlook related connectivity to Particular AD Group.
In our office, all users are joined with Active Directory Domain. (there are multiple domain with cross forest trust in our company). We have allowed limited internet facility to particular active directory group only. This year we have moved away from on-prem Lotus domino email server to cloud base Microsoft O365 solution, therefore we had to allow internet to every body who is now using Outlook. To limit the internet usage & after doing some extensive R&D & ‘internet activities’ lookup via sangfor , we created following ‘O365’ Object in URL DATABASE, and allowed it to AD group ‘Internet_for_O365_Group’ & associate outlook users to this group. This way users who doesn’t have internet facility can still use O365 related services in a controlled manner.
*.office365.com *.office.com *.office.net *.outlook.com *.microsoft.com *.onmicrosoft.com *.microsoftstream.com *.azure.net *.azureedge.net *.windows.net *.live.com *.atdmt.com *.ytimg.com *.windowsazure.com *.msftidentity.com *.msidentity.com *.microsoftonline.com *.msecnd.net *.msftauth.net *.msauth.net *.azure.com *.digicert.com *.agp.com.pk *.obsagp.com.pk *.msftconnecttest.com *.acompli.net *.sharepoint.com *.live.net *.onedrive.com *.msftstatic.com *.windows.com *.s-microsoft.com *.passport.net *.msocsp.com *.msftncsi.com *.msedge.net
More will be added as per time allow.
Regard’s
Syed Jahanzaib
Syed Jahanzaib - Personal Blog to Share Knowledge ! 