5 Replies Latest reply on Aug 26, 2015 6:08 AM by lubomir.cerny

    Web gateway group based policy

    ankush.g

      Hi guys

      I want to create a policy for active directory groups . There are 3 groups 1)HR 2)accounts 3)sales i want group HR can only access job portal and nothing else and in same way the another groups i have refered many links please help in creating the group based policy.

        • 1. Re: Web gateway group based policy
          exbrit

          Moved from Community Help to Web Gateway for better support

          ---

          Peter

          Moderator

          • 2. Re: Web gateway group based policy
            Troja

            Hi ankush.g,

            do you mean 3 active directory groups should only be able connect to a specific URL category?

            You can use a list for the AD groups or you can define them separately. How the rule is done exactly depends also on your ruleset. If the e.g. URL.category already blocked you can define a rule with action Stop Ruleset.

            Example:

            If you have a Rule where the URL.categories professional networking is already blocked you can add the following rule above to allow this URL.category for the three active directory groups

             

            Try this properties

            (

            authentication.usergrous equals HR

                 OR

            authentication.usergroups matches *accounts*

                 OR

            authentication.usergroups equal sales

            )

                 AND

            Url.category equals professional networking

             

            Action: Stop Ruleset

             

            Try this. At the moment i have no access to MWG GUI, so i cannot define a sample rule or screen shot.

            Hope this helps,

            Cheers

            • 3. Re: Web gateway group based policy
              ankush.g

              Hi Troja

              I have tried this rule

              authentication.usergroups equal sales

              )

                   AND

              Url.category equals professional networking

               

              Action: Stop Ruleset

              But it did'nt worked can you please show me the policy with some snapshot where i can get the clear picture how to create and how to block group based policy

              • 4. Re: Web gateway group based policy
                frank_enser

                Hi,

                 

                try using Rule Tracing Central under Troubleshooting to see why the rule doesn't match. See Rule Engine Tracing for an explanation (example 2).

                My best guess: the usergroup doesn't match the usergroup from authentication. But just use Rule Tracing Central to verify.

                 

                Regards,

                Frank

                • 5. Re: Web gateway group based policy
                  lubomir.cerny

                  Hi ankush.g

                  We use groups from AD normaly. You must have working authentication against AD (or any other LDAP/Kerberos system). Then you will have needed values populated.

                   

                  There is our example rule. Block if authenticated user is not member of AD groups (List of group names):

                  AD-UserGroups.png

                  You can check if authentication returns needed group names via Settings - Authentication - Authentication Test:

                  If authentication works, then the result will display all groups user belongs to:

                  MWG - User Auth test.png

                   

                  Hope this helps.