I’m working on a new deployment for MWG 220.127.116.11.0 and I am hitting an issue with Coaching. I started with a canned policy from e2 (PreConfig.18.104.22.168.0-16052.Beta-3.2014-01-05.backup) and that has jumped started the process considerably (thanks). I’m using Kerberos to authenticate the users via the Explicit Proxy Authentication policy and that works great.
So the issue is adding coaching to the mix; I added the policy from the Rule Set Library (Coaching/Quota -> Coaching). One problem I have is: where should the policy be placed relative to the other polices? I noted that if the Coaching policy sits before the Authentication Rules, the coaching redirect fires and I can opt to accept the coaching session. OTOH, if I move Coaching below the Authentication Rules, it does not fire. I don’t get why that would be the case, maybe someone could explain the flow to help clarify that. [Edit] I think this was due to the coaching session time paramters. At the time I tested it, the timer was set for a day, thus no redirect page would fire.
The other problem is: what is the relationship between the “URL Category Blocklist for Coaching” and the “URL filter” rule set? If I put the Coaching policy in a place where the redirect works, and I accept the session, the URL filter rule will block the session because the default behavior is to deny that URL category. It seems to me that the Coaching rule set needs to be above the URL filter, and the filter policy must allow the session. So, in this case, the responsibility for meeting the policy falls back on the user.
I’m coming from a Smartfilter background and maybe I need to change the way I think about it, but my goal is to control access to the Coaching feature. So that if a user accepts coaching, they can override the URL filter that would otherwise block them. I will be adding an AD security group restriction once I get the basic feature to work. In addition for those who cannot use Coaching, the default URL policy should block them.
Below are some of the settings:
I’m hoping some of the seasoned Web Gateway admins can shed some insights.
Message was edited by: firemtn on 3/21/14 5:24:58 PM CDTMessage was edited by: firemtn on 3/21/14 5:26:30 PM CDT
No matter where you put the rules, you will always have to open the category in the general rules.
That is remove personal network storage from the Default blocked categories. The coaching page should will catch it.
That said, the logical place for it is after authentication. After than, it shouldn't matter.
That preconfig was not fully realized, hence the Beta. The final version for 7.3.2 is posted here:
When I use that one, I simply add the coaching rules from the USER-EXPORTED > Custom: Coaching after the URL filtering.
And change category list to Personal Network. The only thing "Custom" about the coaching are the design of the pages, not the rules themselves.
Then i just turn on NTLM auth and it works for me.
The PreConfig in general, is used for example and demo. It's not really designed for full on production unless it's thoroughly tested.
There is definitly a large change from SmartFilter.
On #1 I think you found the issue.
"what is the relationship between the “URL Category Blocklist for Coaching” and the “URL filter” rule set?"
There actually is no relationship between the two rulesets. Web Gateway evaluates the rules in a top down fashion. This is nicley presented in a rule trace (under Troubleshooting > Rule Tracing Central).
There is only a relationship if you create one. An example might be something like:
-Name: Stop processing "URL Filter" rules if on coaching session
-Criteria: Quota.Coaching.SessionExceeded<URL Category Configuration> equals false
-Action: Stop Ruleset
This rule would then go in your URL Filter ruleset above all the other rules. Please do test this, the criteria mentioned above might work or you might need:
-Criteria: Quota.Coaching.SessionExceeded<URL Category Configuration> equals false AND URL.Categories<Default> at least one in list [URL Category Blocklist for Coaching]