09-01-2013 11:00 PM
Hi
I have two IronPort boxes all traffic going through both boxes. The authentication only for domain users. Currently we dont have any group policy configured all users are under one group. I have blocked social network for the users. My management telling now open for mangers and higher management officials.
Please tell me how to configure in WSA and what are the requirement from Active Directory admin.
Thanks and Regards,
Shahul Hameed
09-02-2013 12:07 AM
Hi,
Here's how I'd do it:
Create an AD group "Allow Social Networking" and add people or groups you want to be associated with it.
Create an Access Policy with the following Identity:
Identities and Users:
All Identities
Selected Groups and Users:
DOMAIN\Allow Social Networking
Advanced:
URL Categories:
Social Networking
Then Monitor Social Networking in URL Filtering and add the appropriate Applications in that policy.
Thanks
Chris
09-02-2013 05:45 AM
Hi Chris
Thanks for your reply.
I tested as you said but i couldnt succeed.
My account with genereal and "social network" groups it is cause the issue? Shall I ask AD admin remove my account from general and keep in "social network" group?
I have attached the screen shots of policy trace from WSA and webpage error.
Thanks and Regards,
Shahul Hameed.
09-02-2013 06:10 AM
That's blocking on the category and not the AVC.
I do notice that you appear to have something going on with your identities as you are coming up with an Identity Policy of "test".
I'd check your Identity Policy to confirm you don't have something in there that is superceding it, I'd expect your Identity Policy to be the standard domain Identity.
Thanks
Chris
09-02-2013 09:43 PM
09-03-2013 12:14 AM
Try the trace using your IP address as well to confirm that there isn;t an IP identity that could be taking it over. Bear in mind that the WSA doesn't look up immediately when you add yourself to the AD group so it could be a hangover from the old policy, try and access the site after doing the trace.
After that try a grep from the CLI.
Log onto the WSA via SSH:
grep
1 (accesslogs)
Expression: your IP address
Do you Want to tail the logs? Y
And you'll get something like this:
1378191772.896 1 xxx.xxx.242.206 TCP_DENIED/403 2403 GET http://facebook.com/ "xxx\cillsley@xxx" NONE/- - BLOCK_WEBCAT_11-Standard-xxx_user-DefaultGroup-NONE-NONE-NONE
If it was allowed you'll get something like this:
1378192271.945 219 xxx.xxx.242.206 TCP_CLIENT_REFRESH_MISS/301 498 GET http://facebook.com/ "xxxcillsley@xxx" DIRECT/facebook.com text/html ALLOW_WBRS_11-Allow_Social_Networking-xxx_user-DefaultGroup-NONE-NONE-DefaultGroup
09-03-2013 02:29 AM
Hi Chris
Thank you for your kind reply.
I have little afraid to enable during working hours. Can I keep the existing and enable the new policy? Will it impact any service or no service interruption?
I have attached existing access policy list for your information.
Thanks and Regards,
Shahul Hameed.
09-03-2013 03:11 AM
Hi,
Doing "grep" just displays the log on screen it doesn't impact operation.
But if you're worried do it out of hours.
Thanks
Chris
09-03-2013 03:14 AM
HI Chris
Can I keep existing accesspolicy ?
Thanks and Regards,
Shahul Hameed.
09-03-2013 03:17 AM
Running grep is just monitoring, you'll be making no change to the system.
Thanks
Chris
09-03-2013 05:19 AM
Hi Chris
As you said I collected logs using grep command and attached for your information.
Now I have the following issues.
First let me brief about my network and users setup. We have citrix server and clients are connected with citrix through WYSE dump system. All users are getting all application from the citrix server. All users are in one group. The managers and team leaders are in common group for citrix access and they are in VPN and WIFI group for to access VPN and wireless. My account also added in both groups.
For new requirement I asked server admin create a group as you said “Allow social network” and they added me and one of my colleague. Yesterday I tried with WYSE it wasn’t work. Today I test with laptop which added to our domain with my colleague account. After enable the new policy the social sites were open and working fine. After that I check with my account it wasn’t working. Then I told to my colleague to test in WYSE with his account it wasn’t working.
Please advise what could be the reason?
Thanks and Regards,
Shahul Hameed.
09-03-2013 06:26 AM
I'm confused, did those logs bring up the blocked page?
See below, it's assigned you the Top_Mgt Access Policy and allowed it:
1378208917.531 192 10.64.64.213 TCP_MISS/200 1419 GET http://www.facebook.com/ "cxcx\00368.ucc@cxcx.COM" DIRECT/www.facebook.com text/html ALLOW_WBRS_11-Top_Mgt-testcxcx-NONE-NONE-NONE-DefaultGroup
I can't see any denies at all, you could edit the blocked page to add the timestamp this should take you to the direct DENIED message if you do another grep this time not tailing the logs.
Thanks
Chris
09-03-2013 10:55 PM
Hi Chris
When I open a blocked site, the warning message is showing wrong account ID. I login with my ID (00153.ucc) but the warning message is showing other ID cxcx\01044.gulfe@xcxc.com. This warning message is coming from WSA. Why it is showing wrong ID?
I have attached the screen shot of the warning message.
Thanks and Regards,
Shahul Hameed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide