cancel
Showing results for 
Search instead for 
Did you mean: 
aurimas
Level 7

MWG Is it possible to filter web access by domain user?

Jump to solution

Hi,

I am using MWG 7.4.2.2.0 and I am trying to set up LDAP authentication for the first time.

I wonder if it is possible to filter web content (make a rule) to specific my domain users.

For example: I want to let access social networks to specific list of domain users and block for the rest. One user logs in work station and he gets access, the other logs into same work station and he is blocked. I do not care about any group memberships only about specific users.

Is it possible? If it is, I would appreciate some configuration guidance.

Thanks. 

0 Kudos
1 Solution

Accepted Solutions
asabban
Level 17

Re: MWG Is it possible to filter web access by domain user?

Jump to solution

Hello,

I was assuming authentication is already set up. For MWG "LDAP Authentication" means asking the user for a user name and password. What you are looking for is integrated authentication which works with NTLM (Active Directory) or Kerberos. In such a case the browser will automatically authenticate, there is nothing the user needs to do. Apart from eDirectory MWG will not check a directory for logged in users by their IP address. I am not aware that this is a common procedure, maybe you need to shed some more light about your environment in order to allow some good advice.

If authentication is already set up and working fine on the firewall there might be a way to add the username to the HTTP request that gets to MWG, but this depends on if the firewall is capable of doing so.

Best,

Andre

5 Replies
asabban
Level 17

Re: MWG Is it possible to filter web access by domain user?

Jump to solution

Hello,

this should not be a hard task. After authentication took place you will find the user name in the property "Authentication.Username" and the categories in the property "URL.Categories".

You can create a rule set that has two rules and applies an action depending on who is accessing a Social Media side.

1. Rule: If URL.Categories contains "Social Media" AND Authentication.Username matches in list  <list of allowed usernames> Then "Stop Rule Set"

2. Rule: If URL.Categories contains "Social Media" Then "Block"

If a user accesses a social media site and the user is in the list of allowed users the "Stop Rule Set" action will make sure the second action is not executed. For all other users the first rule does not match so the second rule is called which executes a "Block" action, so access is denied.

Certainly you need to make sure you do not block or allow social media categories anywhere else in the policy, but generally that requirement should be simple to fulfill.

Best,

Andre

aurimas
Level 7

Re: MWG Is it possible to filter web access by domain user?

Jump to solution

Hi asabban,

Thanks for reply,

I get the part about creating rule set, but what kind of authentication and how I should configure it to get property "Authentication.Username".

And I would like to know is it possible to run authentication where MWG authenticates user by itself (asks LDAP or domain controller about logged in users and for example (but not necessary) maps them to IP address)? I mean when user logs in to his work station it should be automatically authenticated to MWG.

I ask this because I have this feature configured on my firewall and it is really handy for me to administrate users, and they don’t have any inconveniences of entering passwords.

0 Kudos
asabban
Level 17

Re: MWG Is it possible to filter web access by domain user?

Jump to solution

Hello,

I was assuming authentication is already set up. For MWG "LDAP Authentication" means asking the user for a user name and password. What you are looking for is integrated authentication which works with NTLM (Active Directory) or Kerberos. In such a case the browser will automatically authenticate, there is nothing the user needs to do. Apart from eDirectory MWG will not check a directory for logged in users by their IP address. I am not aware that this is a common procedure, maybe you need to shed some more light about your environment in order to allow some good advice.

If authentication is already set up and working fine on the firewall there might be a way to add the username to the HTTP request that gets to MWG, but this depends on if the firewall is capable of doing so.

Best,

Andre

aurimas
Level 7

Re: MWG Is it possible to filter web access by domain user?

Jump to solution

Hi,

Thanks for reply again,

I have set authentication now, it was the main problem for me. After you reply I configured Windows domain membership and in Settings->Engines->Authentication I created NTLM Authentication method. After testing result is OK.

Then I created Wildcard Expression list of domain usernames and used rules you suggested in your first reply. So far it works and looks good.

Thanks for help.

0 Kudos
asabban
Level 17

Re: MWG Is it possible to filter web access by domain user?

Jump to solution

Perfect! Thank you for the update!

Best,

Andre

0 Kudos