8 Replies Latest reply on Jan 21, 2011 1:58 AM by eelsasser

    How To authenticate / Mapping Active Directory users and groups

      Dear All,

       

      We have upgrade our appliance to MWG v7 and it is totally different than the old webwasher structure

      We need to grant specific AD group user access to certain policy as what we were doing in webwahser through

      User Management > Policy Management >web Mapping then Edit rule and Options

       

      How can we do so in MWG7 ?

       

      Your assistance is highly appreciated

        • 1. Re: How To authenticate / Mapping Active Directory users and groups

          First, you must authenticate, then use the Authentication.Attributes property to determine what group they are a member of.

           

          You can find a three-part video demonstration of MWG7 here:

          McAfee Web Gateway 7.0 Demonstration

          Part 1: http://www.youtube.com/watch?v=8lMxpDYA5Wg

          Part 2: http://www.youtube.com/watch?v=D56wGhy6qkk

          Part 3: http://www.youtube.com/watch?v=LnU0Xh5_nIQ

           

          Within the video (near end of Part 2 and beginning of Part 3) there is an example of authentication and using groups and attributes.

           

          I hope this helps.

           

          1 of 1 people found this helpful
          • 2. Re: How To authenticate / Mapping Active Directory users and groups

            Dear Erik,

             

            Thank you for these useful demonstrations indeed we understand the new concept I have deleted and recreated the rule set to be as your setting As expediting step Can we import a readymade rule set ? From where we can have similar to yours ?

            • 3. Re: How To authenticate / Mapping Active Directory users and groups

              The rule set I made was crafted from scratch for the demonstration. It was recorded before MWG was released and before the Rules Library was finished so I had to make the rules myself. It may or may not apply to your specific environment.

               

              I've attached a simplified version of these rules to import into your policy. They are initially disabled, so they will have no effect until you review and modify them. You will want to to put the 3 main rule group up to the Top-Level instead of having them as sub-groups. I did that just to transport them as one file.

               

              Here is a simple representation of what they contain. You may just want to print this and enter yours manually instead.

              The highlighted parts are easy to forget to enter, but very important to make it work. They are conditions on the Rule Set container itself.

              You will need to make your own category lists of Allowed and Denied categories to suit your needs.

               

               

              Authentication
              √Enabled
              Applies to Requests: √True, Responses: ∅False, Embedded Objects: ∅False
              1: Authentication.IsAuthenticated equals false

              2: AND Authentication.AuthenticationFailed equals false
              EnabledName/CriteriaActionEventsComments
              √EnabledAuthenticate User database integrated
              1: Authentication.Authenticate<UserDatabase> equals false

              2: AND Authentication.Failed equals false
              Authenticate<Default>

               

               

              Unauthenticated User Policy
              √Enabled
              Applies to Requests: √True, Responses: ∅False, Embedded Objects: ∅False
              1: Authentication.Failed equals true
              EnabledName/CriteriaActionEventsComments
              √EnabledAllowed Categories for "Unauthenticated Users"
              1: URL.Host is in list Unauthenticated User Allowed Hosts

              2: OR URL.Categories at least one in list Allowed Categories for "Unauthenticated Users"
              Stop Cycle
              √EnabledBlock all other unauthenticated users
              1: Authentication.UserName equals ""
              Block<URL Blocked>Execute: IncrementCounter("BlockedByURLFilter",1)<Default>

               

               

              Authenticated Users Policy
              √Enabled
              Applies to Requests: √True, Responses: ∅False, Embedded Objects: ∅False
              1: Authentication.IsAuthenticated equals true
              EnabledName/CriteriaActionEventsComments
              √EnabledAllowed Categories for "Domain Admins"
              1: Authentication.Attributes contains "Domain Admins"

              2: AND URL.Categories at least one in list Allowed Categories for "Domain Admins"
              Stop Rule Set
              √EnabledAllowed Categories for "Webmail Users"
              1: Authentication.Attributes contains "Webmail Users"

              2: AND URL.Categories contains
              Stop Rule Set
              √EnabledAllowed Categories for "SocialNetworking Users"
              1: Authentication.Attributes contains "SocialNetworking Users"

              2: AND URL.Categories contains
              Stop Rule Set
              √EnabledAllowed Categories for "Domain Users"
              1: Authentication.Attributes contains "Domain Users"

              2: AND URL.Categories at least one in list Allowed Categories for "Domain Users"
              Stop Rule Set
              √EnabledDefault Category Blacklist
              1: URL.Categories at least one in list Default Category Blacklist
              Block<URL Blocked>Execute: IncrementCounter("BlockedByURLFilter",1)<Default>

               

               

               

               

               

              Message was edited by: Erik Elsasser on 6/16/10 7:28:55 AM CDT

               

               

              Message was edited by: Erik Elsasser on 6/16/10 7:30:35 AM CDT
              • 4. Re: How To authenticate / Mapping Active Directory users and groups

                Dear Erik ,

                 

                Indeed, you guided me to the right way by following your steps as shown below 

                 

                Gw1.png

                 

                Gw2.png

                Gw3.png

                Gw4.png

                Gw5.png

                 

                 

                Now It is working fine

                 

                Thank you for you kind support

                 

                Regards,

                Jarrash

                • 5. Re: How To authenticate / Mapping Active Directory users and groups

                  Hi Erik

                   

                  I went thorugh your demo on youtube and it was excellent startup point.  I followed everything with resepct to our envrinment but somehow cannot get the AD groups authenticated properly.  I managed to work the unauthenticated users in which everything gets blocked.  However , for authenticated users,  it is allowing the blocked categories as well. some screenshots attached.  Your help is highly appreciated:

                  many thanks

                  Jamil

                  • 6. Re: How To authenticate / Mapping Active Directory users and groups

                    When you test authentication in the test section of the settings, are groups returned at all?

                     

                    You have the option to prefix domain names to the group names selected. I think that will cause group names to be referenced as "teckcominco\domain users".

                    This will not match in the rules if you are only looking at Authentication.Attributes contains "Domain Users".

                    You either need to uncheck "Prefix group names with domain names"

                    or change the rule to read Authentication.Attributes contains "teckcominco\domain users"

                     

                    See if that helps.

                    • 7. Re: How To authenticate / Mapping Active Directory users and groups

                      Hi Erik,

                       

                      Thanks so much for your prompt reply.  I tried disabling the "Prefix group names with domain names" but authenticated users are still getting through to categories that are not allowed i.e pornography. The authentication is succesful and groups are returned OK as per screenshot(s). (attached)

                       

                      Am i doing the string value properly under lists-strings-AD user group-Domain Users ?

                       

                      IS it the URL.categories<default> section that is bypassing the allowed categories lookup.  ? I am not too familiar with the strings, properties and values and exactly what function they do.  Maybe there is a good reference guide out there which explains this.

                       

                       

                      lists string.JPG

                       

                       

                      authenticate.JPG

                      URL Filter.JPG

                      allowed.JPG

                      NTLM.JPG

                      • 8. Re: How To authenticate / Mapping Active Directory users and groups

                        There are probably a dozen different ways of doing what you want.

                         

                        Remove the line for "OR Wildcard.ToString(Whitelist.Corp_Policy_1.Web.Merged) equals ..." etc. That's messing you up.

                         

                        That imported list is a URL list that would use in the Global Whitelist rules with syntax similar to:

                        URL is in list Whitelist.Corp_Policy_1.Web.Merged         Stop RuleSet or Stop Cycle

                         

                        If the intent is that you want the whole Rule Set and tree branches called "Teck Corp Policy" to apply to only Domain Users, then put the "Authentication.Attributes contains Domain Users" On the rule set itself instead of the Always that is there. Anything inside of that rule set will only be for Domain Users afterwards.

                         

                         

                        Also, you should check out the policyViewer that lets backup the configuration or export the rule sets and display them where you can copy/paste the tables instead of screen shots.