7 Replies Latest reply on Dec 16, 2010 2:10 AM by RayP

    Selective Site access through for certain users

      Dear Friends,

       

      Recently we have purchased the Webwasher appliance and are facing few issues importing the ealier configuration settings.

      There are Two things I would require your opinion and guidance on,

      1. We need to allow few users to have access to few authorized sites other than the standard access.These users are already part of standard internet access.

      2. Although we have a Web Mapping Configured, we have received complaints from many of the users about "No Authorization" and "No User Mapping" related messages. can you please guide me how to troubleshoot user mapping related issues?

       

      Highly appreciating your support,

       

      Regards,

       

      Sandeep

        • 1. Re: Selective Site access through for certain users

          Thank you for your question.

           

          The first step in achieving this is to isolate the group of users whom need special access to their own policy.

           

          Once they have their own policy you must determine the best method for allowing the type of traffic so they can reach their destination.

           

          One quick example, if you are blocking say the "gambling" category but your users need access to a site categorized as such:

           

          1. You can re-categorize the site to a user-defined category.
          2. You can exempt the URL via the filter by expressions.
          3. Or you can White List a URL.

           

          However, to answer part of your question. When a user receives the error message "No Authorization this means the user failed mapping to a policy.

           

          How are you authenticating users?

           

           

          on 11/18/10 9:45:04 PM CST

           

           

          on 11/18/10 9:46:32 PM CST
          • 2. Re: Selective Site access through for certain users

            Heu Saul,

             

            Sorry for a very late response and thanks for the answer.

             

            User mapping is still an issue.

            We are using NTLM authentication for the Users and additional input I can provide is, in error page we see either the URL or the IP address against the User name Value. I think this is the main reason of User Mapping failure, Bu t I am not able to find the culprit. is it the browser (IE or Firefox) or the proxy?

             

            Guide me pls.

             

             

            Sandeep.

            • 3. Re: Selective Site access through for certain users
              gwieser

              Hello,

               

              maybe the ntlm-auth-requests ran into an overload-condition at the domaincontroller. you should consider to cache ntlm-requests for better performance. I'm not sure about the exact location of this configuration option, but you can easily find it if you enter ntlm in the 'search' field at the config panel.

               

              hope this helps

              Gerhard

               

               

              [Addendum] this is true for mgw 6.8.x - maybe for mgw 7.0 there are other options to achieve the same thing. btw. you can find the simply under 'configuration - ntlm - ntlm cache' in mgw 6.8.x Nachricht geändert durch gwieser on 06.12.10 11:54:49 CST
              • 4. Re: Selective Site access through for certain users

                Hi Gerhard,

                 

                I verified, NTLM Cache was already enabled as per the below snap.

                 

                NTLM_Cache.jpg

                • 5. Re: Selective Site access through for certain users
                  gwieser

                  Hi Sandeep,

                   

                  maybe you should rise the ntlm-cache-ttl. we have defined 300secs = 5min here. another thing to consider: how many dc's per domain do you have defined under 'user mgmt - windows domain membership'? for backup and maybe performance reasons you should have two dc's defined at least.

                   

                  and for the network side you should also check the interfaces and their speed and duplex. sometimes there are differences between switchport and eth-speed/duplex.

                   

                  otherwise I'm clueless

                   

                  Gerhard

                  • 6. Re: Selective Site access through for certain users

                    Thanks Gerhard,

                     

                    I will try increasing the TTL as guided by you.

                    As far as DCs are concerned, we have configured THREE DC servers under the authentication.

                     

                    Anyhow, Thanks a lot for your valuable time.

                    I will post any update in the issue.

                     

                     

                    Sandeep.

                    • 7. Re: Selective Site access through for certain users
                      RayP

                      Hello Sandeep,

                       

                      Did you got any positive results, after the TTL change?

                       

                      With kind regards,

                      Raymond