cancel
Showing results for 
Search instead for 
Did you mean: 
maljarrash
Level 7

How To authenticate / Mapping Active Directory users and groups

Dear All,

We have upgrade our appliance to MWG v7 and it is totally different than the old webwasher structure

We need to grant specific AD group user access to certain policy as what we were doing in webwahser through

User Management > Policy Management >web Mapping then Edit rule and Options

How can we do so in MWG7 ?

Your assistance is highly appreciated

8 Replies
eelsasser
Level 15

Re: How To authenticate / Mapping Active Directory users and groups

First, you must authenticate, then use the Authentication.Attributes property to determine what group they are a member of.

You can find a three-part video demonstration of MWG7 here:

McAfee Web Gateway 7.0 Demonstration

Part 1: http://www.youtube.com/watch?v=8lMxpDYA5Wg

Part 2: http://www.youtube.com/watch?v=D56wGhy6qkk

Part 3: http://www.youtube.com/watch?v=LnU0Xh5_nIQ

Within the video (near end of Part 2 and beginning of Part 3) there is an example of authentication and using groups and attributes.

I hope this helps.

0 Kudos
maljarrash
Level 7

Re: How To authenticate / Mapping Active Directory users and groups

Dear Erik,

Thank you for these useful demonstrations indeed we understand the new concept I have deleted and recreated the rule set to be as your setting As expediting step Can we import a readymade rule set ? From where we can have similar to yours ?

0 Kudos
eelsasser
Level 15

Re: How To authenticate / Mapping Active Directory users and groups

The rule set I made was crafted from scratch for the demonstration. It was recorded before MWG was released and before the Rules Library was finished so I had to make the rules myself. It may or may not apply to your specific environment.

I've attached a simplified version of these rules to import into your policy. They are initially disabled, so they will have no effect until you review and modify them. You will want to to put the 3 main rule group up to the Top-Level instead of having them as sub-groups. I did that just to transport them as one file.

Here is a simple representation of what they contain. You may just want to print this and enter yours manually instead.

The highlighted parts are easy to forget to enter, but very important to make it work. They are conditions on the Rule Set container itself.

You will need to make your own category lists of Allowed and Denied categories to suit your needs.

Authentication
√Enabled
Applies to Requests: √True, Responses: ∅False, Embedded Objects: ∅False
1: Authentication.IsAuthenticated equals false

2: AND Authentication.AuthenticationFailed equals false
EnabledName/CriteriaActionEventsComments
√EnabledAuthenticate User database integrated
1: Authentication.Authenticate<UserDatabase> equals false

2: AND Authentication.Failed equals false
Authenticate<Default>

Unauthenticated User Policy
√Enabled
Applies to Requests: √True, Responses: ∅False, Embedded Objects: ∅False
1: Authentication.Failed equals true
EnabledName/CriteriaActionEventsComments
√EnabledAllowed Categories for "Unauthenticated Users"
1: URL.Host is in list Unauthenticated User Allowed Hosts

2: OR URL.Categories at least one in list Allowed Categories for "Unauthenticated Users"
Stop Cycle
√EnabledBlock all other unauthenticated users
1: Authentication.UserName equals ""
Block<URL Blocked>Execute: IncrementCounter("BlockedByURLFilter",1)<Default>

Authenticated Users Policy
√Enabled
Applies to Requests: √True, Responses: ∅False, Embedded Objects: ∅False
1: Authentication.IsAuthenticated equals true
EnabledName/CriteriaActionEventsComments
√EnabledAllowed Categories for "Domain Admins"
1: Authentication.Attributes contains "Domain Admins"

2: AND URL.Categories at least one in list Allowed Categories for "Domain Admins"
Stop Rule Set
√EnabledAllowed Categories for "Webmail Users"
1: Authentication.Attributes contains "Webmail Users"

2: AND URL.Categories contains
Stop Rule Set
√EnabledAllowed Categories for "SocialNetworking Users"
1: Authentication.Attributes contains "SocialNetworking Users"

2: AND URL.Categories contains
Stop Rule Set
√EnabledAllowed Categories for "Domain Users"
1: Authentication.Attributes contains "Domain Users"

2: AND URL.Categories at least one in list Allowed Categories for "Domain Users"
Stop Rule Set
√EnabledDefault Category Blacklist
1: URL.Categories at least one in list Default Category Blacklist
Block<URL Blocked>Execute: IncrementCounter("BlockedByURLFilter",1)<Default>

Message was edited by: Erik Elsasser on 6/16/10 7:28:55 AM CDT

Message was edited by: Erik Elsasser on 6/16/10 7:30:35 AM CDT
0 Kudos
maljarrash
Level 7

Re: How To authenticate / Mapping Active Directory users and groups

Dear Erik ,

Indeed, you guided me to the right way by following your steps as shown below 

Gw1.png

Gw2.png

Gw3.png

Gw4.png

Gw5.png

Now It is working fine

Thank you for you kind support

Regards,

Jarrash

0 Kudos
jremtull
Level 7

Re: How To authenticate / Mapping Active Directory users and groups

Hi Erik

I went thorugh your demo on youtube and it was excellent startup point.  I followed everything with resepct to our envrinment but somehow cannot get the AD groups authenticated properly.  I managed to work the unauthenticated users in which everything gets blocked.  However , for authenticated users,  it is allowing the blocked categories as well. some screenshots attached.  Your help is highly appreciated:

many thanks

Jamil

0 Kudos
eelsasser
Level 15

Re: How To authenticate / Mapping Active Directory users and groups

When you test authentication in the test section of the settings, are groups returned at all?

You have the option to prefix domain names to the group names selected. I think that will cause group names to be referenced as "teckcominco\domain users".

This will not match in the rules if you are only looking at Authentication.Attributes contains "Domain Users".

You either need to uncheck "Prefix group names with domain names"

or change the rule to read Authentication.Attributes contains "teckcominco\domain users"

See if that helps.

0 Kudos
jremtull
Level 7

Re: How To authenticate / Mapping Active Directory users and groups

Hi Erik,

Thanks so much for your prompt reply.  I tried disabling the "Prefix group names with domain names" but authenticated users are still getting through to categories that are not allowed i.e pornography. The authentication is succesful and groups are returned OK as per screenshot(s). (attached)

Am i doing the string value properly under lists-strings-AD user group-Domain Users ?

IS it the URL.categories<default> section that is bypassing the allowed categories lookup.  ? I am not too familiar with the strings, properties and values and exactly what function they do.  Maybe there is a good reference guide out there which explains this.

lists string.JPG

authenticate.JPG

URL Filter.JPG

allowed.JPG

NTLM.JPG

0 Kudos
eelsasser
Level 15

Re: How To authenticate / Mapping Active Directory users and groups

There are probably a dozen different ways of doing what you want.

Remove the line for "OR Wildcard.ToString(Whitelist.Corp_Policy_1.Web.Merged) equals ..." etc. That's messing you up.

That imported list is a URL list that would use in the Global Whitelist rules with syntax similar to:

URL is in list Whitelist.Corp_Policy_1.Web.Merged         Stop RuleSet or Stop Cycle

If the intent is that you want the whole Rule Set and tree branches called "Teck Corp Policy" to apply to only Domain Users, then put the "Authentication.Attributes contains Domain Users" On the rule set itself instead of the Always that is there. Anything inside of that rule set will only be for Domain Users afterwards.

Also, you should check out the policyViewer that lets backup the configuration or export the rule sets and display them where you can copy/paste the tables instead of screen shots.

0 Kudos