I am looking for some possibilities to allow a user to override a blocked url on its own response. I have gone through the chapter "Quota management" in the documentation. Reading the part of "Authorized override" I came somehow into the topic however, not exactly. Furthermore I read the following in the documentation: "Authentication of this user is performed according to the configured authentication method. However, when configuring this method, you cannot let it include an integrated authentication mode.". That implies to me that it is not possible to have a user to override using an authentication against some a directory like ldap or active directory, am I right?
Basicly the usercase I'm thinking about is to have a set of categories which are blocked over all for security reasons, that is, a category like "Anonymizers". Furthermore I would like to have a set of categegories with critical content like "drugs". These categories should also be filtered in general, however, I would like to provide a possibility to the user to access such categorized sites nevertheless using its authentication and providing a special note (like "please think twice, your request will be logged" and so on). Unfortunately I was unable so far to find such a configuration and according the documentation I'm not sure if MWG covers such a usercase.
Thanks for any hints, Stefan
PS: MWG 22.214.171.124 in place
I am not exactly sure why the default "Auth Override" is not suitable. It allows you to specify categories and will show a block page when the category is hit. You will be asked to enter a username/password which will be checked against any directory (User-Database by default, can be LDAP, NTLM, etc.). If the authentication succeeds access is granted.
This sounds like the use case you described for me :-)
Well, if I go through the documentation I get the impression that this feature does not meet my needs as descriced. However, in your words it sounds like that I give it a try and do some testing on our testsystem.
Many thanks so far, Stefan
Hehe... you should try it out. To make your life much easier I would recommend to first try the default rule "as is" (with UserDB in the backend). Sometimes people tend to import a rule set, modify it and then find out nothing works as expected. Just start with the default version and we can adjust the rule to a different directory etc. later.
If it does not match what you are looking for, please let us know.
...just got back from the basic testing. You were right, this is pretty much what I was looking for it. As I detail I would like to define a hard limit for the validity of the override rather than let this in the responsibility of the user. A value of 30min. would be an appropriate value for that. I wonder if I could handle that need somehow? Will doublecheck also the documentation again.
For my organization only the management level and above have the ability to override the policies. I am using a combination of the quote.coaching session exceeded along with a check on their AD group membership (Allowed Override) along with blocked categories, blocked url list. If the session is exceed and they are in the group and the category or URL is blocked then they are prompted with an accept page (Click to accept the fact you are bypassing the corporate policy) and they are allowed out (stop rule set), the next rule is the block.
A little tricky to setup at first but it works great and from what I see in the logs it is used often.Message was edited by: hudsy on 8/7/13 9:39:52 AM CDT
hudsy, that sounds pretty much about what I am looking for. Would it be possible for you to post part of your configuration, may be even the exported rules and rulesets?
How did you design the accept page? Does the user still have to provide a time period for which the override is valid? Does the user have to post some reasons for why it has to access the site even it is blocked or not? And finally: How do you log the overrides?
I have attached a screen shot of the rules. In the block action I made a page that is displayed with a button to accept the override.
To design the accept page I started by using the coaching page and customized it to my needs.
In the coaching configuration section I have it set to 15 minutes or so.
No reason is needed to be given for the override.
I setup a custom log but it stays strictly in the web gateway at this point in time. I should probably go back and change it so that the override is set so when the logs are transferred to CSR that I can run a report on the amount the overrides are used.
Sorry for the delay in getting back, been busy and don't get on here all the time. I hope this helps, if it isn't too late.