1 2 Previous Next 14 Replies Latest reply: Aug 23, 2012 9:47 AM by asabban RSS

    Restricting authorized override users

    ebourne

      Hi all,

       

      I've got a customer who's recently moved from Smartfilter to a Web Gateway appliance; mostly set up and running OK, but we're having a bit of trouble reproducing the override features of Smartfilter.

       

      I've got authorized override set up and working - block page comes up, enter credentials and a time, and it lets you through for that time, then blocks again - fine. The issue is that it seems that *any* valid credentials will let you through.

       

      We'd like to reproduce the override user feature of Smartfilter somehow, where only certain users can override the block page. I've played about with adding 'Authentication.UserGroups' filters to the rule criteria in various places, but I can't seem to get the desired behaviour.

       

      Does anyone know if this is possible - and if so, any hints?

       

      Cheers

       

      Ed

        • 1. Re: Restricting authorized override users
          akill

          I need the same did you solve this??

          • 2. Re: Restricting authorized override users
            Jon Scholten

            I know how to get this working.

             

            The quota plugin will make its way through the rules just like any other transaction. If it is able to make it through, then you will get through.

             

            So all you need to do is create a rule in your Override ruleset to block that particular group. Or you can set any users NOT in a special group to be "unauthenticated".

             

            See screenshot:

            overrideauthorizedonly.png

             

            Let me know if that helps,

            Jon

            • 3. Re: Restricting authorized override users
              akill

              An  the category content filter for theses override users how can I bypass my current rules or set policy for override access

              • 4. Re: Restricting authorized override users
                Jon Scholten

                Hi Akill,

                 

                I dont understand your statement, could you please rephrase?

                 

                Best,

                Jon

                • 5. Re: Restricting authorized override users
                  jsuboh

                  Hi,

                   

                  For some of us that came from SmartFilter, the override access was a very convient feature. Any blocked page could be override by a select few or just the admin. I implemented the block page that eelsasser provided to me on my other post however it partly works; Web Gateway catergorizes some pages under serveral categories. The issue is that if both categories are not under the override allowed category, it does not work which requires me to go back in the management page and white list my ip to review a site. I strongly believe that McAfee Web Gateway needs a function/rule that works exactly like SmartFilter's override access on all categories and emails the admin when override access is activated (this allows me to make sure its not being abused). I get a lot of legitimate educational websites that are blocked that i need to review to unblock and it is very cumbersome.

                   

                  Thanks,

                   

                  Jahad Suboh

                  • 6. Re: Restricting authorized override users
                    Jon Scholten

                    Hi Jahad,

                     

                    Thank you for the feedback, it makes a lot of sense. I have supported SmartFilter for about 4 years and I understand the desire to have the same functionality.

                     

                    Having said that, with Web Gateway the functionality you desire is most likley possible, its usually just a matter of turning the right screws.

                     

                    From what you described (site in multiple categories, first category being in override category list, second being blocked), it sounds like a rule may just need to be configured to stop cycle (for request cycle) if the user is currently on an override session. Otherwise, the user will still fall to the remaining rules (for the category you are blocking). Conversely you could make it so your normal category filtering rules dont apply when users are on an override session.

                     

                    Let me know if this helps,

                    Jon

                    • 7. Re: Restricting authorized override users
                      seebvey

                      Hi Jon,

                       

                      i have tried to configure my web gateway as you have shown it with your screenshot.

                       

                      But after that no user can do the override. Without that rule every valid user can do the override.

                       

                      Why is it not possible to extend the "redirect after authen....." rule with a criteria like "AND UserGroup equals "Override"".

                       

                      I can't get it to work.

                       

                      Do you have a tip for me?

                      Sebastian

                      • 8. Re: Restricting authorized override users
                        schecka

                        Hi Sebastian,

                         

                        looking at the rules in the screenshot, it seems that there is an authentication.usergroups check without doing authentication first.

                        just add a rule to the top of your rule set that says "authentication.authenticate <auth method> equals true action continue" and you should be good to go.

                         

                        cheers

                        sven

                        • 9. Re: Restricting authorized override users
                          schecka

                          Hi Again,

                           

                          I just realized that the rules above might not do what you are looking for. The above will issue a block page if  the user is not in the right group and does not give optipns to enter credentials again.

                          If you would like the user to be send back to the auth override block page, you can use the rules below.

                           

                           

                          auth-over-with-groups.jpg

                           

                          cheers

                          sven

                          1 2 Previous Next