Here is a three-part series on using MWG7.
Right at the end of the second video and at the beginning of the third video it discusses authentication and using AD groups for that use case you describe. Pause it at the 0:41 second mark and you'll see the rule that does this.
Basically you need a Stop Rule Set for
URL.Categories contains Social Networking AND
Authentication.UserGroup equals "FB Users"
Placed right above the Category Block List rule.
Edit: Authentication.Attributes that are described in the video have now been changed to Authentication.UserGroups in 7.1, but they are the same thing.
That is how I had it, but I this will allow them to all social network sites. I was trying to limit them to just having the ability to access and use facebook, so I added AND URL equals "http://www.facebook.com/" with the Stop Rule Set action, but this does not appear to work correctly. It loads but the page is not formatted correctly (see below)
Allow FB access to Specific users
URL equals "http://www.facebook.com/" AND
URL.Categories<Cloud Lookup Only> contains Social Networking AND
Authentication.UserGroups contains "FB Users"
Stop Rule Set
FB load.bmp 624.1 K
I think there is something not matching with the rules you built.
Some notes to consider:
- You probably don´t want to use "equals" and URL combined. If you say URL equals http://www.facebook.com the rule will only match this specific URL, but it won´t match on https://www.facebook.com or even http://www.facebook.com/login.php which you will need to access the site at all.
- A better approach may be "URL.Host" equals "www.facebook.com" OR something like "URL" matches "*://www.facebook.com*"
- You will most likely need more than www.facebook.com. Most content comes from "static.ak.fbcdn.net", which is the Content Delivery Network behind facebook.com. They need to be added as well.
Maybe you want to share your rules with us, it might help to figure out what helps.
Edit: The screenshot you posted is most likely a result of not having the CDN whitelisted as well!
Adding these wildcards looks like it fixed FB.
I also changed the rule to read URL matches in list:
1 *www.facebook.com* 2 *static.ak.fbcdn.net* 3 *fbcdn.net* 4 *profile.ak.fbcdn.net*
Do you see anything that I might have missed?
Thanks for the help. This is an awsome resource.
basically "*fbcdn.net*" already includes "static.ak.fbcdn.net" and "profile.ak.fbcdn.net", so you only need that entry. Anyway it does not hurt :-)
I think you may also want to add apps.facebook.com, in case Apps should be allowed. But besides that I think you should be done. I am not aware of more URLs - which doesn´t mean there are none, of course.
Thank you for sharing the information with us. I hope you enjoy the product and our community.