cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1408
Views
0
Helpful
12
Replies

Group policy

shahulhameed
Level 3
Level 3

Hi

I have two IronPort boxes all traffic going through both boxes. The authentication only for domain users. Currently we dont have any group policy configured all users are under one group. I have blocked social network for the users. My management telling now open for mangers and higher management officials.

Please tell me how to configure in WSA and what are the requirement from Active Directory admin.

Thanks and Regards,

Shahul Hameed

12 Replies 12

Chris Illsley
Level 3
Level 3

Hi,

Here's how I'd do it:

Create an AD group "Allow Social Networking" and add people or groups you want to be associated with it.

Create an Access Policy with the following Identity:

Identities and Users:

All Identities

Selected Groups and Users:

DOMAIN\Allow Social Networking

Advanced:

URL Categories:

Social Networking

Then Monitor Social Networking in URL Filtering and add the appropriate Applications in that policy.

Thanks

Chris

Hi Chris

Thanks for your reply.

I tested as you said but i couldnt succeed.

My account with genereal and "social network" groups it is cause the issue? Shall I ask AD admin remove my account from general and keep in "social network" group?

I have attached the screen shots of policy trace from WSA and webpage error.

Thanks and Regards,

Shahul Hameed.

That's blocking on the category and not the AVC.

I do notice that you appear to have something going on with your identities as you are coming up with an Identity Policy of "test".

I'd check your Identity Policy to confirm you don't have something in there that is superceding it, I'd expect your Identity Policy to be the standard domain Identity.

Thanks

Chris

Hi Chris

I have confused now. Can you advise in detail please. I have attached the test identity for your further clarification.

Thanks and Regards,

Shahul Hameed.

Try the trace using your IP address as well to confirm that there isn;t an IP identity that could be taking it over.  Bear in mind that the WSA doesn't look up immediately when you add yourself to the AD group so it could be a hangover from the old policy, try and access the site after doing the trace.

After that try a grep from the CLI.

Log onto the WSA via SSH:

grep

1 (accesslogs)

Expression: your IP address

Do you Want to tail the logs? Y

And you'll get something like this:

1378191772.896 1 xxx.xxx.242.206 TCP_DENIED/403 2403 GET http://facebook.com/ "xxx\cillsley@xxx" NONE/- - BLOCK_WEBCAT_11-Standard-xxx_user-DefaultGroup-NONE-NONE-NONE - "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E)", 2013-09-03, 07:02:52

If it was allowed you'll get something like this:

1378192271.945 219 xxx.xxx.242.206 TCP_CLIENT_REFRESH_MISS/301 498 GET http://facebook.com/ "xxxcillsley@xxx" DIRECT/facebook.com text/html ALLOW_WBRS_11-Allow_Social_Networking-xxx_user-DefaultGroup-NONE-NONE-DefaultGroup - "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E)", 2013-09-03, 07:11:11

Hi Chris

Thank you for your kind reply.

I have little afraid to enable during working hours. Can I keep the existing and enable the new policy? Will it impact any service or no service interruption?

I have attached existing access policy list for your information.

Thanks and Regards,

Shahul Hameed.

Hi,

Doing "grep" just displays the log on screen it doesn't impact operation.

But if you're worried do it out of hours.

Thanks

Chris

HI Chris

Can I keep existing accesspolicy ?

Thanks and Regards,

Shahul Hameed.

Running grep is just monitoring, you'll be making no change to the system.

Thanks

Chris

Hi Chris

As you said I collected logs using grep command and attached for your information.

Now I have the following issues.

First let me brief about my network and users setup. We have citrix server and clients are connected with citrix through WYSE dump system. All users are getting all application from the citrix server. All users are in one group. The managers and team leaders are in common group for citrix access and they are in VPN and WIFI group for to access VPN and wireless. My account also added in both groups.

For new requirement I asked server admin create a group as you said “Allow social network” and they added me and one of my colleague. Yesterday I tried with WYSE it wasn’t work. Today I test with laptop which added to our domain with my colleague account. After enable the new policy the social sites were open and working fine. After that I check with my account it wasn’t working. Then I told to my colleague to test in WYSE with his account it wasn’t working.

Please advise what could be the reason?

Thanks and Regards,

Shahul Hameed.

I'm confused, did those logs bring up the blocked page?

See below, it's assigned you the Top_Mgt Access Policy and allowed it:

1378208917.531 192 10.64.64.213 TCP_MISS/200 1419 GET http://www.facebook.com/ "cxcx\00368.ucc@cxcx.COM" DIRECT/www.facebook.com text/html ALLOW_WBRS_11-Top_Mgt-testcxcx-NONE-NONE-NONE-DefaultGroup -

I can't see any denies at all, you could edit the blocked page to add the timestamp this should take you to the direct DENIED message if you do another grep this time not tailing the logs.

Thanks

Chris

Hi Chris

When I open a blocked site, the warning message is showing wrong account ID. I login with my ID (00153.ucc) but the warning message is showing other ID cxcx\01044.gulfe@xcxc.com. This warning message is coming from WSA. Why it is showing wrong ID?

I have attached the screen shot of the warning message.

Thanks and Regards,

Shahul Hameed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: