5 Replies Latest reply on Sep 9, 2011 8:39 AM by asabban

    Allowing a subset of users access to Facebook

      I would like to allow a subset of my authenticated users access to Facebook.  I have authenticated them with an AD group 'webusers' and have a URL policy for 'webusers'  I would like to have a rule that allows a specific AD group(FB Users) access to Facebook.  One of the challange's that I have is that we block social Media categorically for the agency.


      So how can I allow FB users aroung the social media block in the webusers URL Filtering?


      I think that I have a grasp of how to do it.  I would add the rule above the block that says if Authentication.userGroups contains FB Users and URL is Facebook.com Stop rule set.  but, then the EnableSafeSearchEnforcer would not run is that an issue. 




        • 1. Re: Allowing a subset of users access to Facebook

          Here is a three-part series on using MWG7.






          Right at the end of the second video and at the beginning of the third video it discusses authentication and using AD groups for that use case you describe. Pause it at the 0:41 second mark and you'll see the rule that does this.


          Basically you need a Stop Rule Set for


          URL.Categories contains Social Networking AND

          Authentication.UserGroup equals "FB Users"


          Placed right above the Category Block List rule.


          Edit: Authentication.Attributes that are described in the video have now been changed to Authentication.UserGroups in 7.1, but they are the same thing.


          Message was edited by: eelsasser on 9/8/11 5:16:28 PM EDT
          • 2. Re: Allowing a subset of users access to Facebook

            That is how I had it, but I this will allow them to all social network sites.  I was trying to limit them to just having the ability to access and use facebook, so I added AND URL equals "http://www.facebook.com/" with the Stop Rule Set action, but this does not appear to work correctly.  It loads but the page is not formatted correctly (see below)


            Allow FB access to Specific users


            Rule Criteria:
            URL equals "http://www.facebook.com/" AND
            URL.Categories<Cloud Lookup Only> contains Social Networking AND
            Authentication.UserGroups contains "FB Users"

            Stop Rule Set





            Any suggestions.


            Message was edited by: imtrying on 9/9/11 7:55:39 AM CDT
            • 3. Re: Allowing a subset of users access to Facebook



              I think there is something not matching with the rules you built.


              Some notes to consider:


              - You probably don´t want to use "equals" and URL combined. If you say URL equals http://www.facebook.com the rule will only match this specific URL, but it won´t match on https://www.facebook.com or even http://www.facebook.com/login.php which you will need to access the site at all.


              - A better approach may be "URL.Host" equals "www.facebook.com" OR something like "URL" matches "*://www.facebook.com*"


              - You will most likely need more than www.facebook.com. Most content comes from "static.ak.fbcdn.net", which is the Content Delivery Network behind facebook.com. They need to be added as well.


              Maybe you want to share your rules with us, it might help to figure out what helps.


              Edit: The screenshot you posted is most likely a result of not having the CDN whitelisted as well!





              Nachricht geändert durch asabban on 09.09.11 07:59:22 CDT
              • 4. Re: Allowing a subset of users access to Facebook

                Adding these wildcards looks like it fixed FB.


                I also changed the rule to read URL matches in list:




                Do you see anything that I might have missed?


                Thanks for the help.  This is an awsome resource.

                • 5. Re: Allowing a subset of users access to Facebook



                  basically "*fbcdn.net*" already includes "static.ak.fbcdn.net" and "profile.ak.fbcdn.net", so you only need that entry. Anyway it does not hurt :-)


                  I think you may also want to add apps.facebook.com, in case Apps should be allowed. But besides that I think you should be done. I am not aware of more URLs - which doesn´t mean there are none, of course.

                  Thank you for sharing the information with us. I hope you enjoy the product and our community.