topic Re: rule with access role does not match in Spark Firewall (SMB)

rule with access role does not match

Wolfgang — Wed, 07 Jun 2023 18:57:20 GMT

central managed SMB gateway (1570, Smart-1 cloud), LDAP-Account unit with enabled ad-proxy feature.

We can browse the local ActiveDirectory and create access roles with AD groups. For remote access we create a rule with the access role as source. Users can authenticate with their AD accounts successful, but connections to internal resources are dropped. Changing the source to „any“ everything is working fine.

On the gateways Identity Awareness settings only remote access is enabled. I think this should be enough, we need access roles only for remote access. But it looks like the users are not identified.

Any ideas?

Re: rule with access role does not match

PhoneBoy — Mon, 12 Jun 2023 15:05:20 GMT

Remember that "groups" come from LDAP and the gateway itself needs to be able to talk to the relevant LDAP server to retrieve them.
Have you checked this?

Re: rule with access role does not match

Wolfgang — Tue, 13 Jun 2023 07:34:14 GMT

Yes, this works. We are using the same gateway as AD-proxy and we have no problem discovering the AD via this AD-proxy and adding users from AD to the accessrole.

Re: rule with access role does not match

PhoneBoy — Tue, 13 Jun 2023 17:51:43 GMT

I suspect AD Proxy and pdp are occurring through different code paths.
Did you actually check on the SMB gateway itself that it can reach LDAP and is making the appropriate LDAP queries?