Syed Jahanzaib Personal Blog to Share Knowledge !

January 2, 2022

SANGFOR IAM – Short Notes

Filed under: SANGFOR — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 7:25 PM

in year 2019,  We acquired SANGOFR IAM m5200 hardware device (along with 3 years support/renewal bundle) as an replacement for Microsoft ISA/TMG 2010 product. Since its acquisition & so far we have good experience with its usage. We tested few other products like Sophos, FortiGate & few other, but IAM was the closest replica for TMG replacement (specially in its integration with the AD) therefore we went for it. As per our core requirements of Compliance/audit, IAM Logging details level is very impressive. It’s local support was very good and responsive & they helped us in initial demo & configuration.

As time will allow, I will try to add some guides/tips and notes for day to day task related to Sangfor IAM.


Fake Online Sessions & Forced Logged out Everyday !

Sangfor have multiple methods to integrate its authentication with the Active Directory DC. We are using LOGIN Script Method (using GPO) along with IWA integration. It works well, but it was creating one BIG issue. When the user logins to the computer, the login script via GPO triggers & the sangfor login exe sends the user login event to the sangfor & sangfor then notified about the user status. But if the user dont do proper shutdown of his workstation, then the user session shows as ONLINE for hours & in the mean while if his dhcp lease expires & some other user gets the same IP , his internet access works without any kind of authentication.

To over come the issue, we set following,

the LOG OUT ALL USERS EVERY DAY option did the trick! However it created another problem that users who donot do proper shutdown, and next when open laptops and resume windows (from hibernation actually) , they get the IAM LOGIN screen on there browser. By setting an S.O.P, we enforced users that its essential that you must properly shutdown when you leave the office, or LOGOFF/LOGIN one time.

Weird !



Allow Office 365 / Outlook related connectivity to Particular AD Group.

In our office, all users are joined with Active Directory Domain. (there are multiple domain with cross forest trust in our company). We have allowed limited internet facility to particular active directory group only. This year we have moved away from on-prem Lotus domino email server to cloud base Microsoft O365 solution, therefore we had to allow internet to every body who is now using Outlook. To limit the internet usage & after doing some extensive R&D & ‘internet activities’ lookup via sangfor , we created following ‘O365’ Object in URL DATABASE, and allowed it  to AD group ‘Internet_for_O365_Group’ & associate outlook users to this group. This way users who doesn’t have internet facility can still use O365 related services in a controlled manner.


*.office365.com
*.office.com
*.office.net
*.outlook.com
*.microsoft.com
*.onmicrosoft.com
*.microsoftstream.com
*.azure.net
*.azureedge.net
*.windows.net
*.live.com
*.atdmt.com
*.ytimg.com
*.windowsazure.com
*.msftidentity.com
*.msidentity.com
*.microsoftonline.com
*.msecnd.net
*.msftauth.net
*.msauth.net
*.azure.com
*.digicert.com
*.agp.com.pk
*.obsagp.com.pk
*.msftconnecttest.com
*.acompli.net
*.sharepoint.com
*.live.net
*.onedrive.com
*.msftstatic.com
*.windows.com
*.s-microsoft.com
*.passport.net
*.msocsp.com
*.msftncsi.com
*.msedge.net


More will be added as per time allow.

Regard’s
Syed Jahanzaib

%d bloggers like this: