cancel
Showing results for 
Search instead for 
Did you mean: 
ittech
Level 13

Two things I can't seem to figure out

Jump to solution

I hope I explain this properly, my trial runs out on 08/07 and my manager has some questions. These questions pertain to Web Gateway 7.

1) Can I create a filter for specific AD Users without having to add them into a new AD Group?

          EX: There are a few select people who need access to youtube.com. Can I create a filter or rule to only give those users acces to youtube without having create another group in AD and how? This may not seem like a problem, but specific users need access to site that others in their AD group should not be able to access and we don't want to end up creating 15 new groups so that the users can access them appropriately.

2) Can I create a filter for an IP range that doesn't authenticate to the domain and how?

          EX: We have a wireless access point for visitors with laptops and we would like to filter their access to the internet without forcing them to join the domain and authenticate.

0 Kudos
1 Solution

Accepted Solutions
eelsasser
Level 15

Re: Two things I can't seem to figure out

Jump to solution

1) Yes.

2) Yes.

1) In the rules, you place a rule that uses the Authentication.UserName above a rule with Authentication.Attributes (groups). It hits the username rule first, matches, and doesn't proceed to the group rule (stop Rule Set).

2) In the authentication section you put a rule that matches on Client.IP is in range 192.168.2.0/24 (or something similar) and bypass the actual authentication rules.

There are some interesting and similar examples in some videos I posted here:

McAfee Web Gateway 7.0 Demonstration

Part 1: http://www.youtube.com/watch?v=8lMxpDYA5Wg

Part 2: http://www.youtube.com/watch?v=D56wGhy6qkk

Part 3: http://www.youtube.com/watch?v=LnU0Xh5_nIQ

If I recall, some of those authentication conditions are described near the end of part 2 and start of part 3. Pause the video and look at how the rules are written.

For question 2, there is actually a use case on the video where it will attempt to authenticate, fail and just go to a default policy. This would help for employees that use the guest wireless. They can get through, but the visitors cannot.

on 7/28/10 10:30:06 AM CDT
0 Kudos
8 Replies
eelsasser
Level 15

Re: Two things I can't seem to figure out

Jump to solution

1) Yes.

2) Yes.

1) In the rules, you place a rule that uses the Authentication.UserName above a rule with Authentication.Attributes (groups). It hits the username rule first, matches, and doesn't proceed to the group rule (stop Rule Set).

2) In the authentication section you put a rule that matches on Client.IP is in range 192.168.2.0/24 (or something similar) and bypass the actual authentication rules.

There are some interesting and similar examples in some videos I posted here:

McAfee Web Gateway 7.0 Demonstration

Part 1: http://www.youtube.com/watch?v=8lMxpDYA5Wg

Part 2: http://www.youtube.com/watch?v=D56wGhy6qkk

Part 3: http://www.youtube.com/watch?v=LnU0Xh5_nIQ

If I recall, some of those authentication conditions are described near the end of part 2 and start of part 3. Pause the video and look at how the rules are written.

For question 2, there is actually a use case on the video where it will attempt to authenticate, fail and just go to a default policy. This would help for employees that use the guest wireless. They can get through, but the visitors cannot.

on 7/28/10 10:30:06 AM CDT
0 Kudos
ittech
Level 13

Re: Two things I can't seem to figure out

Jump to solution

Thank you, sir.

Just to be clear on the first question. With the Authentication.UserName rule, could I just whitelist youtube and the user could get the rest of their policy through their group?

0 Kudos
eelsasser
Level 15

Re: Two things I can't seem to figure out

Jump to solution

Yep. Simple example is:

If

  Authentication.UserName = "ittech" AND

  URL.Host matches "*.youtube.com"

Then

  Stop Rule Set

If it doesn't match that condition, it goes to the next rule which would be the normal policy.

A more complex example is you have a local list of user names defined on MWG and use that instead of the specific user in the rule. For example:

Lists:

"YouTube Users List":

  ittech

  eelsasser

  jsmith

Rule:

  Authentication.UserName is in list "YouTube Users List" AND

  URL.Host matches "*.youtube.com"

You can get more detailes if you want too:

  Authentication.UserName is in list "YouTube Users List" AND

  Client.IP equals "192.168.2.3" AND

  URL.Host matches "*.youtube.com"

So they can only watch youtube from that specific IP.

Message was edited by: Erik Elsasser on 7/28/10 10:41:11 AM CDT
0 Kudos
ittech
Level 13

Re: Two things I can't seem to figure out

Jump to solution

This help is awesome.

I set this up and it totally makes sense, but I can't seem to get it working properly.

I made a list (String) and added a user. Now, I can't seem to find the list on the list list (wow). So, I'm not sure if that is the problem or if i need to add users in a Domain/UserName fashion.

0 Kudos
eelsasser
Level 15

Re: Two things I can't seem to figure out

Jump to solution

The rule looks like this:

Name/CriteriaAction
Allow YouTube to specific users
1: URL.Host matches *.youtube.com
2: AND Authentication.UserName is in list Allowed YouTube Users
Stop Rule Set

The list looks like this:

String List#Value
Allowed YouTube Users1eelsasser
2jsmith
3tjones

0 Kudos
ittech
Level 13

Re: Two things I can't seem to figure out

Jump to solution

I finally noticed the difference between our policies!

The trial come with seperate content filters for each group like this:

MyMWG7.JPG

Your example in the video has one content filter with seperate rules for each group in it.

The problem was I had placed my rule outside the content filter for the group that user was in.

Thanks for all you help Erik. Sorry, if I was dense in any way.

0 Kudos
eelsasser
Level 15

Re: Two things I can't seem to figure out

Jump to solution

On thing I like to do is put some properties into comments on the main block schema page. This is useful for debugging. When a block page is displayed, you can view the source and see valuable information. Some of the properties I like to include are:

(Stick this at the end of the index.html use the add property button to insert the $Property$)

<!--

Rule Name: $Rules.CurrentRule.Name$

User: $Authentication.UserName$

Groups: $Authentication.Attributes$

-->

just a helpful hint...

0 Kudos
ittech
Level 13

Re: Two things I can't seem to figure out

Jump to solution

Done and tested. Very cool stuff!

Thanks again!

0 Kudos