Either I'm setting this up wrong... or Symantec Web Gateway is not capable of doing the following... although I would find the latter to be really odd because I've used other gateway products from other manufacturers in the past decade... all the way back to Sun Microsystems IPlanet Web Gateway server... and all the gateway solutions I've installed in the past have all been capable of interfacing into our Active Directory for user authentication, but yet I can't seem to make this work in Symantec's Web Gateway server.
The scenario is simple. I have an Active Directory group called "Internet Users". If a user belongs to this AD group, they authenticate and get access to the internet. If a user doesn't belong to this particular AD group, they get no internet access (but still get local intranet access).
(Our HR department insists that any web gateway solution I put in place have the ability to disallow certain users from accessing the internet).
I've set up a new Symantec Web Gateway appliance and am working through the configuration, but I don't see any ability to authenticate users in scenario above. I have the appliance linked to our AD using LDAP and NTLM authentication, but when I try to create a new policy based on authentication and using LDAP related anything... an error comes up when creating the authentication policy saying "Authentication only policies cannot be evaluated using LDAP information".
I would think that this would be a simple function of the gateway considering the gateway is already interfacing to AD via LDAP. So in theory a user authentication request to the SWG server should be simple: A user tries to authenticate their internet access session... the request goes to/get intercepted by the SWG server... the SWG server checks to see if the user exists in the AD group or has this AD group as part of their account, and if so, lets them authenticate and out to the internet.
So what am I missing? Does the Symantec Gateway not have this functionality to authenticate users based on AD groups/OU's/departments, etc.?
Of note, I did try to change the LDAP Search base in the Authentication portion of the SWG server to point directly at the "Internet Users" group in our AD (CN=Internet Users,OU=Internet Access,OU=MAIM,DC=ourdomain,DC=com) hoping the SWG server would be smart enough to only look at this specific group of users in Active Directory for it's searches, and if the user didn't exist within this search base, it wouldn't allow the user on the internet, but this didn't work. It appears to authenticate anyone who has an account in our AD, regardless of what group/department/OU the user is in. As a test, I turned on the Enforce Authentication option so I would get prompted to enter user credentials when starting a web session. It didn't matter if the user was in the "Internet Users" group in our AD or not, the SGW server authenticated any user I put in as long as I supplied the correct user credentials. So it didn't seem to make any difference if I pointed the LDAP search base at this specific group in our AD or not.
(BTW... I'm running the SGW in inline mode, currently configured for authentication using LDAP/NTLM.)
Out of curiosity, would disabling the NTLM authentication on the SWG server and using DCInterface on my AD server help my situation?