Solved: Blocking users on time range

estelamathew · ‎10-09-2011

Hello Dears,

I want to block some corporate users for specific time range on specific days, I created 2 access polcies by name Block user by time AND Allow user by time in that i have selected a membership by identity of Corporate users and authentication with AD and from that AD to specific users and groups (by names) and also membership by time range,

IDENTITIES

1. Corporate users by subnet 10.10.0.0/16 by selecting authentication with AD

Access Policies are in below sequence:

On block user by time Access policy i have selected a identity corporate users with specific users and a Block timerange memebership and i have blocked all protocols and user agents so everything will be blocked (No internet access completely)

On Allow user by time Access policy i have selected a identity corporate users with specific users and a Allow timerange memebership and i have allowed limited URLs by selecting custom urls in URL category.

On Corporate users Access Policy i have blocked specific URLS and also limit on download file size by selecting the identity Corporate users and also specifying membership by corporate subnets 10.10.1.0/24,10.10.2.0/24 ......etc

Authentication for all the Access Policy is only 1 Identity i.e Corporate Users authenticating by AD

BUT THE ABOVE CONFIGS ARE NOT WORKING, WHERE I M MISSING MY FRIENDS PLS HELP

Thanks

Ken Stieers · ‎10-17-2011

Hey Estalla,

What does the access log say when this user hits it?

http://tinyurl.com/6ekeec, grep for the users IP address..

Ken

View solution in original post

Ken Stieers · ‎10-11-2011

Hey Estala,

Did you set the times in the using military/24 hour times?

If the "specific users" are the same users, did you create 2 different time ranges? If they are the same users, I'd use 1 time range, and on the "block" policy set it for "match during..." and for the allow set it for "Match EXCEPT".

That way you know you don't have overlap someplace...

Also, look at the Policy Trace tool (System Administration>Policy Trace) to see what the policy engine thinks should be happening...

Ken

estelamathew · ‎10-12-2011

Hello Kein,

Hapy to see ur reply,

I have done according to ur mail and also i have did policy trace, IN policy trace it shows me block user by time policy but when the user try to browse he is a able to go on the internet , when he try to open website which is block in corporate access policy he is denied,,Other than block urls he is able to browse all websites this means CORPORATE policy is effecting on him..

This is the strange happening in policy trace it is showing me BLOCK USER BY TIME but in effect is CORPORTAE POLICY.

I m using the same realm for all the 3 policy, I hope this is not the issue.????

Thanks

Ken Stieers · ‎10-17-2011

Hey Estalla,

What does the access log say when this user hits it?

http://tinyurl.com/6ekeec, grep for the users IP address..

Ken

estelamathew · ‎10-18-2011

Thanks dear,

Is it the username specified in access policy membership should be written as DOMAIN\USER. and the domain name should be written in Upper case or it can worked with lower case also.?????????

The problem is solved now ,when i applied with small case it was not working but when i put with upper case the policy came into effect,and it is working.

when policy came into effect i again tried to change to lower case and still the policy was in effect, the WSA is doing things crazy with me

strange things happening with me.

Ken Stieers · ‎10-19-2011

Hey Estella,

I wouldn't think so, but I'm in the beta program, so I'll test it, and if it is case sensitive, I'll put it in to get fixed.

Ken