6 Replies Latest reply on Aug 17, 2017 4:37 AM by pagudom

    Web Gateway, crear reglas por grupos de AD




      Tenemos un piloto de Mcafee web gateway para migrar nuestro Forefront TMG. Tenemos la regla preconfigurada


      Explicit Proxy Authetication and Authorization:


      - Autheticate with User Database > NTLM (Nuestro domain, OK)

      - Authorize User Gruop puedo agregar un grupo de AD en la regla "Only Allow User of Allowed User Grous". Pruebo a el acceso y funciona.


      Quiero agregar otro grupo con otro tipo de permisos. Debo crear otra regla Explicit Proxy Authetication and Authorization u otra Authorize User Gruop ?


      No se si debo crear un Objeto (list, string) para cada grupo de AD.


      La idea es crear un grupo sin restricciones de acceso a internet y otros mas limitados a ciertos sites, streaming etc


      Gracias por la ayuda



        • 2. Re: Web Gateway, crear reglas por grupos de AD

          Hi Marina, i post on Spanish forum because my post its written on Spanish. It does not make sense to move it to the Web Gateway forum.


          I assumed that the Spanish forum had that purpose.



          • 3. Re: Web Gateway, crear reglas por grupos de AD

            This is Spanish Consumer forum - regarding McAfee for consumers and end users. Your post is regarding WebGateway specific issue which is supported by our Corporate Forums. There you will receive an appropriate answer. Thank you.

            • 4. Re: Web Gateway, crear reglas por grupos de AD

              So, you can delete this post, nobody will understand anything because is written in Spanish. I will try again in english.



              • 5. Re: Web Gateway, crear reglas por grupos de AD

                Hi pagudom,


                I used google translator:

                "We have a Mcafee web gateway pilot to migrate our Forefront TMG. We have the preconfigured rule


                Explicit Proxy Authentication and Authorization:


                - Authenticate with User Database> NTLM (Our domain, OK)

                - Authorize User Gruop I can add an AD group to the "Only Allow User User Allowed Grous" rule. I try the access and it works.


                I want to add another group with other permissions. Should I create another Explicit Proxy Authentication and Authorization rule or another Authorize User Gruop rule?


                I do not know if I should create an object (list, string) for each AD group.


                The idea is to create a group without restrictions of access to internet and others more limited to certain sites, streaming etc.


                Thanks for the help"


                General information:

                One authentication rule set is enough.

                You can use existing rule under "Authorize User Gruop I can add an AD group to the "Only Allow User User Allowed Grous"" or simply add new rules in existing rule sets using property authentication.usergroups (or authentication.username).

                You can also create lists of usernames or usergroups. Based on this you can then configure bypass or block rules.

                If you want for example to create a rule that allows specific users/groups to access internet without triggering the rest of the rules in your policy you can create a rule with action stop cycle.

                Example: Authentication.Usergroups at least one in list <UserList>, Action: "Stop Cycle"

                With this rule no further rules would be triggered since action stop cycle is used.

                Difference between action stop rule set and stop cycle is that when using stop rule set only the rest of this rule set is not triggered anymore. It will continue with next rule set.


                More information about creating rules and using specific properties here:

                Best Practices: Creating URL related list entries


                Information related to your query:
                If I understood correctly you want to allow specific users to stream videos and visit specific websites.

                In your policy under "URL Filtering" > "Default" you should have a category block rule at the end.

                There for example, you could add categories you want to block.

                If you now want to allow these categories for specific users/groups you can configure a rule above this block rule using property authentication.usernames or. usergroups at least one in list and use action stop rule set. If this rule matches now, the rest of the rules there are not triggered anymore and the requests should not run into the category block rule.


                Here it is really important to have a plan or structure (where to place a rule, where to configure a bypass rule since requests could be blocked at different positions in the policy, how many different user-/grouplists are needed, etc.).


                I hope you find this information helpful.

                Please let us know if you have further questions.




                • 6. Re: Web Gateway, crear reglas por grupos de AD

                  Many thanks


                  I'm going to try some configurations.


                  Best Regards !