cancel
Showing results for 
Search instead for 
Did you mean: 
brianfrazer
Level 7

How to restrict an AD Group to an URL List

Greetings All,

I am having an issue that I hope someone can answer for me.  I have two categories of users in my company that I need to configure access to the Internet for.  The first AD Group is simple enough, they are simply filtered by allowed categories and I have that working. The second AD Group is far more restricted in its' Internet access.  This AD Group needs to be restricted to an URL Whitelist. This is proving to be for more work than I had anticipated.  I have so far only been able to filter the restricted group by category or everything is denied for not being in the allowed category list. However, the URL's do fall under the allowed categories for the entire company.

Here are the summaries of the recent rule sets that I have tried.  I have tried several variations of these Rule Sets.

Name:
Allow Web Access to Stores WhiteList

Comment:

Rule Criteria:
Authentication.Attributes contains "Store Secondaries" AND
URL.Host matches in list Stores URL WhiteList

Action:
Stop Rule Set

Name:
Block Not in Stores White List

Comment:

Rule Criteria:
Authentication.Attributes contains "Store Secondaries" AND
URL.Host does not match in list Stores URL WhiteList

Action:
Block

Can someone please tell me the correct way to accomplist this or at least point me in the right direction.

Any help is always appreciated.

Brian

0 Kudos
5 Replies
eelsasser
Level 15

Re: How to restrict an AD Group to an URL List

It seems to me that the second line is the only one you need. If they are in the AD group AND it's not in the white list, block.

Anyone that is not in the AD group would go to the next rule and allow or block according to your categroy list for everyone else.


Am I missing something?

0 Kudos
brianfrazer
Level 7

Re: How to restrict an AD Group to an URL List

It seems we both are missing something here. I originally tried this, however it just does not work.

At the user level, doing as you suggested, this is what I get from a site in the URL list.

<!--FileName: URLBlocked.html Language:

There is nothing else on the page to shed any light on the issue what so ever.

Thanks for the suggestion,

Brian

0 Kudos
eelsasser
Level 15

Re: How to restrict an AD Group to an URL List

I'm not sure I understand.

The block page is not rendering properly? and is blank when a block occurs?

Or maybe i misunderstood your statement.

One thing I like to do on an actual block page is put the rule name into it so I know exactly which rule blocked.

If you edit the Schema page, add a little property that shows in the corner of the page.

Rules.CurrentRule.Name: $Rules.CurrentRuleName$

The results should look something like this:

Capture.PNG

You could also put the rule name into a log file as well.

0 Kudos
brianfrazer
Level 7

Re: How to restrict an AD Group to an URL List

With this rule enabled;

Name:
Block Not in Stores White List

Comment:

Rule Criteria:
Authentication.Attributes contains "Store Secondaries" AND
URL.Host does not match in list Stores URL WhiteList

Action:
Block

The page is not rendering correctly for some reason.  Lets say that mapquest.com is in the approved whitelist which it is btw. What I get in their browser is exactly what I posted in my previous message.  If I go to Dell.com for instance, what the browser renders is a URL has been blocked because it is not in the approved category list.

The same thing happens if I change the 2nd criteria to;

URL does not match in list Stores URL WhiteList

You posted;

One thing I like to do on an actual block page is put the rule name into it so I know exactly which rule blocked.

I did this in the initial setup of the Web Gateway.

The MWG is running on 7.0.2.2 (9841)

Thanks again,

Brian

0 Kudos
brianfrazer
Level 7

Re: How to restrict an AD Group to an URL List

Greetings,

I never could get the custom whitelist to work properly.  However, during my testing, I did find that the Global Whitelist URL's did work.  I edited the Global Whitelist name to end with -old.  I then created a new Global Whitelist with my custom list, and it worked just fine.

I am still not sure why the custom list would not work and right now, don't much care.  I have a working solution and will leave it this way for the time being.

Thanks again for the help and suggestions,

Brian

0 Kudos