I've got a customer who's recently moved from Smartfilter to a Web Gateway appliance; mostly set up and running OK, but we're having a bit of trouble reproducing the override features of Smartfilter.
I've got authorized override set up and working - block page comes up, enter credentials and a time, and it lets you through for that time, then blocks again - fine. The issue is that it seems that *any* valid credentials will let you through.
We'd like to reproduce the override user feature of Smartfilter somehow, where only certain users can override the block page. I've played about with adding 'Authentication.UserGroups' filters to the rule criteria in various places, but I can't seem to get the desired behaviour.
Does anyone know if this is possible - and if so, any hints?
I know how to get this working.
The quota plugin will make its way through the rules just like any other transaction. If it is able to make it through, then you will get through.
So all you need to do is create a rule in your Override ruleset to block that particular group. Or you can set any users NOT in a special group to be "unauthenticated".
Let me know if that helps,
For some of us that came from SmartFilter, the override access was a very convient feature. Any blocked page could be override by a select few or just the admin. I implemented the block page that eelsasser provided to me on my other post however it partly works; Web Gateway catergorizes some pages under serveral categories. The issue is that if both categories are not under the override allowed category, it does not work which requires me to go back in the management page and white list my ip to review a site. I strongly believe that McAfee Web Gateway needs a function/rule that works exactly like SmartFilter's override access on all categories and emails the admin when override access is activated (this allows me to make sure its not being abused). I get a lot of legitimate educational websites that are blocked that i need to review to unblock and it is very cumbersome.
Thank you for the feedback, it makes a lot of sense. I have supported SmartFilter for about 4 years and I understand the desire to have the same functionality.
Having said that, with Web Gateway the functionality you desire is most likley possible, its usually just a matter of turning the right screws.
From what you described (site in multiple categories, first category being in override category list, second being blocked), it sounds like a rule may just need to be configured to stop cycle (for request cycle) if the user is currently on an override session. Otherwise, the user will still fall to the remaining rules (for the category you are blocking). Conversely you could make it so your normal category filtering rules dont apply when users are on an override session.
Let me know if this helps,
i have tried to configure my web gateway as you have shown it with your screenshot.
But after that no user can do the override. Without that rule every valid user can do the override.
Why is it not possible to extend the "redirect after authen....." rule with a criteria like "AND UserGroup equals "Override"".
I can't get it to work.
Do you have a tip for me?
looking at the rules in the screenshot, it seems that there is an authentication.usergroups check without doing authentication first.
just add a rule to the top of your rule set that says "authentication.authenticate <auth method> equals true action continue" and you should be good to go.
I just realized that the rules above might not do what you are looking for. The above will issue a block page if the user is not in the right group and does not give optipns to enter credentials again.
If you would like the user to be send back to the auth override block page, you can use the rules below.