8 Replies Latest reply on Jul 28, 2010 12:35 PM by ittech

    Two things I can't seem to figure out


      I hope I explain this properly, my trial runs out on 08/07 and my manager has some questions. These questions pertain to Web Gateway 7.


      1) Can I create a filter for specific AD Users without having to add them into a new AD Group?

                EX: There are a few select people who need access to youtube.com. Can I create a filter or rule to only give those users acces to youtube without having create another group in AD and how? This may not seem like a problem, but specific users need access to site that others in their AD group should not be able to access and we don't want to end up creating 15 new groups so that the users can access them appropriately.

      2) Can I create a filter for an IP range that doesn't authenticate to the domain and how?

                EX: We have a wireless access point for visitors with laptops and we would like to filter their access to the internet without forcing them to join the domain and authenticate.

        • 1. Re: Two things I can't seem to figure out

          1) Yes.

          2) Yes.


          1) In the rules, you place a rule that uses the Authentication.UserName above a rule with Authentication.Attributes (groups). It hits the username rule first, matches, and doesn't proceed to the group rule (stop Rule Set).


          2) In the authentication section you put a rule that matches on Client.IP is in range (or something similar) and bypass the actual authentication rules.


          There are some interesting and similar examples in some videos I posted here:

          McAfee Web Gateway 7.0 Demonstration

          Part 1: http://www.youtube.com/watch?v=8lMxpDYA5Wg

          Part 2: http://www.youtube.com/watch?v=D56wGhy6qkk

          Part 3: http://www.youtube.com/watch?v=LnU0Xh5_nIQ


          If I recall, some of those authentication conditions are described near the end of part 2 and start of part 3. Pause the video and look at how the rules are written.


          For question 2, there is actually a use case on the video where it will attempt to authenticate, fail and just go to a default policy. This would help for employees that use the guest wireless. They can get through, but the visitors cannot.





          on 7/28/10 10:30:06 AM CDT
          • 2. Re: Two things I can't seem to figure out

            Thank you, sir.


            Just to be clear on the first question. With the Authentication.UserName rule, could I just whitelist youtube and the user could get the rest of their policy through their group?

            • 3. Re: Two things I can't seem to figure out

              Yep. Simple example is:


                Authentication.UserName = "ittech" AND

                URL.Host matches "*.youtube.com"


                Stop Rule Set


              If it doesn't match that condition, it goes to the next rule which would be the normal policy.


              A more complex example is you have a local list of user names defined on MWG and use that instead of the specific user in the rule. For example:


              "YouTube Users List":






                Authentication.UserName is in list "YouTube Users List" AND

                URL.Host matches "*.youtube.com"



              You can get more detailes if you want too:

                Authentication.UserName is in list "YouTube Users List" AND

                Client.IP equals "" AND

                URL.Host matches "*.youtube.com"


              So they can only watch youtube from that specific IP.



              Message was edited by: Erik Elsasser on 7/28/10 10:41:11 AM CDT
              1 of 1 people found this helpful
              • 4. Re: Two things I can't seem to figure out

                This help is awesome.


                I set this up and it totally makes sense, but I can't seem to get it working properly.


                I made a list (String) and added a user. Now, I can't seem to find the list on the list list (wow). So, I'm not sure if that is the problem or if i need to add users in a Domain/UserName fashion.

                • 5. Re: Two things I can't seem to figure out

                  The rule looks like this:


                  Allow YouTube to specific users
                  1: URL.Host matches *.youtube.com
                  2: AND Authentication.UserName is in list Allowed YouTube Users
                  Stop Rule Set


                  The list looks like this:

                  String List#Value
                  Allowed YouTube Users1eelsasser

                  1 of 1 people found this helpful
                  • 6. Re: Two things I can't seem to figure out

                    I finally noticed the difference between our policies!


                    The trial come with seperate content filters for each group like this:



                    Your example in the video has one content filter with seperate rules for each group in it.


                    The problem was I had placed my rule outside the content filter for the group that user was in.


                    Thanks for all you help Erik. Sorry, if I was dense in any way.

                    • 7. Re: Two things I can't seem to figure out

                      On thing I like to do is put some properties into comments on the main block schema page. This is useful for debugging. When a block page is displayed, you can view the source and see valuable information. Some of the properties I like to include are:

                      (Stick this at the end of the index.html use the add property button to insert the $Property$)



                      Rule Name: $Rules.CurrentRule.Name$

                      User: $Authentication.UserName$

                      Groups: $Authentication.Attributes$



                      just a helpful hint...


                      • 8. Re: Two things I can't seem to figure out

                        Done and tested. Very cool stuff!


                        Thanks again!