3 Replies Latest reply on Jul 11, 2011 3:33 AM by asabban

    Let the user decide

      Hello Community


      i'm trying to implement my first ruleset. The idea behind my rule is the following:

      -> we are going to restrict access to SSL-protected sites with use self-signed certificates or untrusted issuers.


      When someone tries to access such a website he shall not be blocked - but a dialog should be presented.

      On the dialog the user will be informed that the site is probablly not trustworthy.


      Nevertheless - if the user really needs to visit the site he should be able to "Confirm" - and Access is granted.


      If the Access could be granted for a specific duration (1 day / 1 week) the solution would be perfect...




      The first part is relatively eays to implement:

      -> If the site uses a self-signed certificate i'll initiate a redirect where the user is informed.


      but i have no clue how to implement step 2 (Confirm) and step 3 (duration) to the ruleset.


      Any help would really be appreciated.

      best regards



      Nachricht geändert durch christoph.ernst on 08.07.11 08:18:14 CDT
        • 1. Re: Let the user decide

          The concept is similar to Coaching. you hit a site, show a warning, and allow the user to click through.

          Try to import and integrate the  Coaching rules from the library into the (SelfSigned==true OR FoundKnownCA==false) criteria.

          • 2. Re: Let the user decide

            Hello E. Elsasser


            thanks for your prompt answer. This seem to work - i have to bring the config to perfection - but basicly i was suggessful - thanks.


            This brings me to a next question. As we run several MWGs and loadbalance using round robin the above config is quite a pain as the "Coaching Dialog" appears several time (one time for each MWG). Is there a way to sync state between the Gateways? Or do we have to rethink out load balancing method....


            have a good day


            • 3. Re: Let the user decide

              Hi Chris,


              if your users are talking to multiple MWGs it is recommended to have a session stickiness configured. Some options that should work fine:


              - Client IP stickiness

              - Destination URL stickiness


              The integrated HA uses Client IP stickiness (with all Pros and Cons actually) to keep a Users session on the same MWG. If "round robin" is used a Users session may be distributed across all available boxes, which may cause problems, especially with all kinds of quota/coaching stuff, as well as progress pages.



              The coaching information is synched between the gateways (as far as I can tell), but not in "real time". It is only used to make the other nodes aware of the coaching/quota information, but is not intended to be distributed so quickly that accepting coaching on Box A will automatically allow access on Box B.


              From my perspective I think a tweak to the load balancing should be made to have session stickiness. But maybe someone has a different idea :-)