5 Replies Latest reply on Sep 1, 2014 2:57 AM by asabban

    MWG  Is it possible to filter web access by domain user?

    aurimas

      Hi,

       

      I am using MWG 7.4.2.2.0 and I am trying to set up LDAP authentication for the first time.

       

      I wonder if it is possible to filter web content (make a rule) to specific my domain users.

      For example: I want to let access social networks to specific list of domain users and block for the rest. One user logs in work station and he gets access, the other logs into same work station and he is blocked. I do not care about any group memberships only about specific users.

       

      Is it possible? If it is, I would appreciate some configuration guidance.

       

      Thanks. 

        • 1. Re: MWG  Is it possible to filter web access by domain user?
          asabban

          Hello,

           

          this should not be a hard task. After authentication took place you will find the user name in the property "Authentication.Username" and the categories in the property "URL.Categories".

           

          You can create a rule set that has two rules and applies an action depending on who is accessing a Social Media side.

           

          1. Rule: If URL.Categories contains "Social Media" AND Authentication.Username matches in list  <list of allowed usernames> Then "Stop Rule Set"

          2. Rule: If URL.Categories contains "Social Media" Then "Block"

           

          If a user accesses a social media site and the user is in the list of allowed users the "Stop Rule Set" action will make sure the second action is not executed. For all other users the first rule does not match so the second rule is called which executes a "Block" action, so access is denied.

           

          Certainly you need to make sure you do not block or allow social media categories anywhere else in the policy, but generally that requirement should be simple to fulfill.

           

          Best,

          Andre

          • 2. Re: MWG  Is it possible to filter web access by domain user?
            aurimas

            Hi asabban,

             

            Thanks for reply,

             

            I get the part about creating rule set, but what kind of authentication and how I should configure it to get property "Authentication.Username".

             

            And I would like to know is it possible to run authentication where MWG authenticates user by itself (asks LDAP or domain controller about logged in users and for example (but not necessary) maps them to IP address)? I mean when user logs in to his work station it should be automatically authenticated to MWG.

             

            I ask this because I have this feature configured on my firewall and it is really handy for me to administrate users, and they don’t have any inconveniences of entering passwords.

            • 3. Re: MWG  Is it possible to filter web access by domain user?
              asabban

              Hello,

               

              I was assuming authentication is already set up. For MWG "LDAP Authentication" means asking the user for a user name and password. What you are looking for is integrated authentication which works with NTLM (Active Directory) or Kerberos. In such a case the browser will automatically authenticate, there is nothing the user needs to do. Apart from eDirectory MWG will not check a directory for logged in users by their IP address. I am not aware that this is a common procedure, maybe you need to shed some more light about your environment in order to allow some good advice.

               

              If authentication is already set up and working fine on the firewall there might be a way to add the username to the HTTP request that gets to MWG, but this depends on if the firewall is capable of doing so.

               

              Best,

              Andre

              • 4. Re: MWG  Is it possible to filter web access by domain user?
                aurimas

                Hi,

                 

                Thanks for reply again,

                 

                I have set authentication now, it was the main problem for me. After you reply I configured Windows domain membership and in Settings->Engines->Authentication I created NTLM Authentication method. After testing result is OK.

                Then I created Wildcard Expression list of domain usernames and used rules you suggested in your first reply. So far it works and looks good.

                 

                Thanks for help.

                • 5. Re: MWG  Is it possible to filter web access by domain user?
                  asabban

                  Perfect! Thank you for the update!

                   

                  Best,

                  Andre