cancel
Showing results for 
Search instead for 
Did you mean: 

Let the user decide

Jump to solution

Hello Community

i'm trying to implement my first ruleset. The idea behind my rule is the following:

-> we are going to restrict access to SSL-protected sites with use self-signed certificates or untrusted issuers.

When someone tries to access such a website he shall not be blocked - but a dialog should be presented.

On the dialog the user will be informed that the site is probablly not trustworthy.

Nevertheless - if the user really needs to visit the site he should be able to "Confirm" - and Access is granted.

If the Access could be granted for a specific duration (1 day / 1 week) the solution would be perfect...

---

The first part is relatively eays to implement:

-> If the site uses a self-signed certificate i'll initiate a redirect where the user is informed.

letUserDecide.gif

but i have no clue how to implement step 2 (Confirm) and step 3 (duration) to the ruleset.

Any help would really be appreciated.

best regards

Chris

Nachricht geändert durch christoph.ernst on 08.07.11 08:18:14 CDT
0 Kudos
1 Solution

Accepted Solutions
eelsasser
Level 15

Re: Let the user decide

Jump to solution

The concept is similar to Coaching. you hit a site, show a warning, and allow the user to click through.

Try to import and integrate the  Coaching rules from the library into the (SelfSigned==true OR FoundKnownCA==false) criteria.

0 Kudos
3 Replies
eelsasser
Level 15

Re: Let the user decide

Jump to solution

The concept is similar to Coaching. you hit a site, show a warning, and allow the user to click through.

Try to import and integrate the  Coaching rules from the library into the (SelfSigned==true OR FoundKnownCA==false) criteria.

0 Kudos

Re: Let the user decide

Jump to solution

Hello E. Elsasser

thanks for your prompt answer. This seem to work - i have to bring the config to perfection - but basicly i was suggessful - thanks.

This brings me to a next question. As we run several MWGs and loadbalance using round robin the above config is quite a pain as the "Coaching Dialog" appears several time (one time for each MWG). Is there a way to sync state between the Gateways? Or do we have to rethink out load balancing method....

have a good day

Chris

0 Kudos
asabban
Level 17

Re: Let the user decide

Jump to solution

Hi Chris,

if your users are talking to multiple MWGs it is recommended to have a session stickiness configured. Some options that should work fine:

- Client IP stickiness

- Destination URL stickiness

The integrated HA uses Client IP stickiness (with all Pros and Cons actually) to keep a Users session on the same MWG. If "round robin" is used a Users session may be distributed across all available boxes, which may cause problems, especially with all kinds of quota/coaching stuff, as well as progress pages.

The coaching information is synched between the gateways (as far as I can tell), but not in "real time". It is only used to make the other nodes aware of the coaching/quota information, but is not intended to be distributed so quickly that accepting coaching on Box A will automatically allow access on Box B.

From my perspective I think a tweak to the load balancing should be made to have session stickiness. But maybe someone has a different idea :-)

Best,

Andre

0 Kudos