5 Replies Latest reply on May 16, 2011 3:31 PM by brianfrazer

    How to restrict an AD Group to an URL List

      Greetings All,

       

      I am having an issue that I hope someone can answer for me.  I have two categories of users in my company that I need to configure access to the Internet for.  The first AD Group is simple enough, they are simply filtered by allowed categories and I have that working. The second AD Group is far more restricted in its' Internet access.  This AD Group needs to be restricted to an URL Whitelist. This is proving to be for more work than I had anticipated.  I have so far only been able to filter the restricted group by category or everything is denied for not being in the allowed category list. However, the URL's do fall under the allowed categories for the entire company.

       

      Here are the summaries of the recent rule sets that I have tried.  I have tried several variations of these Rule Sets.

       

      Name:
      Allow Web Access to Stores WhiteList

      Comment:

      Rule Criteria:
      Authentication.Attributes contains "Store Secondaries" AND
      URL.Host matches in list Stores URL WhiteList

      Action:
      Stop Rule Set

       

      Name:
      Block Not in Stores White List

      Comment:

      Rule Criteria:
      Authentication.Attributes contains "Store Secondaries" AND
      URL.Host does not match in list Stores URL WhiteList

      Action:
      Block

       

      Can someone please tell me the correct way to accomplist this or at least point me in the right direction.

       

      Any help is always appreciated.

       

      Brian

        • 1. Re: How to restrict an AD Group to an URL List

          It seems to me that the second line is the only one you need. If they are in the AD group AND it's not in the white list, block.

           

          Anyone that is not in the AD group would go to the next rule and allow or block according to your categroy list for everyone else.


          Am I missing something?

          • 2. Re: How to restrict an AD Group to an URL List

            It seems we both are missing something here. I originally tried this, however it just does not work.

             

            At the user level, doing as you suggested, this is what I get from a site in the URL list.

             

            <!--FileName: URLBlocked.html Language:

             

            There is nothing else on the page to shed any light on the issue what so ever.

             

            Thanks for the suggestion,

            Brian

            • 3. Re: How to restrict an AD Group to an URL List

              I'm not sure I understand.

              The block page is not rendering properly? and is blank when a block occurs?

              Or maybe i misunderstood your statement.

               

              One thing I like to do on an actual block page is put the rule name into it so I know exactly which rule blocked.

               

              If you edit the Schema page, add a little property that shows in the corner of the page.

              Rules.CurrentRule.Name: $Rules.CurrentRuleName$

               

              The results should look something like this:

              Capture.PNG

               

              You could also put the rule name into a log file as well.

              • 4. Re: How to restrict an AD Group to an URL List

                With this rule enabled;

                Name:
                Block Not in Stores White List

                Comment:

                Rule Criteria:
                Authentication.Attributes contains "Store Secondaries" AND
                URL.Host does not match in list Stores URL WhiteList

                Action:
                Block

                The page is not rendering correctly for some reason.  Lets say that mapquest.com is in the approved whitelist which it is btw. What I get in their browser is exactly what I posted in my previous message.  If I go to Dell.com for instance, what the browser renders is a URL has been blocked because it is not in the approved category list.

                 

                The same thing happens if I change the 2nd criteria to;

                URL does not match in list Stores URL WhiteList

                 

                You posted;

                One thing I like to do on an actual block page is put the rule name into it so I know exactly which rule blocked.

                I did this in the initial setup of the Web Gateway.

                 

                The MWG is running on 7.0.2.2 (9841)

                 

                Thanks again,

                Brian

                • 5. Re: How to restrict an AD Group to an URL List

                  Greetings,

                   

                  I never could get the custom whitelist to work properly.  However, during my testing, I did find that the Global Whitelist URL's did work.  I edited the Global Whitelist name to end with -old.  I then created a new Global Whitelist with my custom list, and it worked just fine.

                   

                  I am still not sure why the custom list would not work and right now, don't much care.  I have a working solution and will leave it this way for the time being.

                   

                  Thanks again for the help and suggestions,

                  Brian