Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 3523 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 16 mixing user rules and network rules

kchin

Hi,

Is it possible to configure the policies as follows:

User Rule 1: Allow from LAN to WAN matching User Group A (redirect to captive portal is unauthenticated), no app control

User Rule 2: Allow from LAN to WAN matching User Group B (redirect to captive portal is unauthenticated), app control block social networking only

Network Rule 3: Allow from LAN to WAN for unauthenticated traffic, app control to allow only TeamViewer and Windows Update traffic

In other words, if user attempts to go online, e.g. www.google.com, he will be redirected to captive portal for authentication before he can access the page.

Other users who are not authenticated, their PCs can still able to use TeamViewer and perform Windows Update.

Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    KennethChin,

    your scenario can be achied but users must be authenticated first, otherwise they will always hit the rule 3.

    So captive portal in this case cannot be used, you can use Sophos Authentication Aget, Clientless or LDAP/SSO/RADIUS/eDirectory.

     

  • 0 in reply to lferrara

    Luk,

    My client's use case is as follows:

    1. Without authentication, the PCs should be able to access TeamViewer and Windows Update only. No other internet access allowed.

    2. Certain users are given user accounts to access internet. There are 2 groups: A and B. Users from group A have unrestricted access to internet. Users from group B have access to internet except Facebook.

    From what you're saying, please correct me if I'm wrong, I have the following options to implement the above use cases:

    1. Install auth agent in each PC and create user accounts for everyone, then use User Rules to configure policy accordingly.

    2. Use clientlesss, but I thought this is meant for servers/printers use.

    3. LDAP/SSO/RADIUS/eDirectory, this is not an available option at the moment, maybe later.

    4. Without using agent/clientless/SSO, stick to the policies I outlined earlier, but disable redirect to captive portal, so basically all PCs are allowed to access TeamViewer and Windows Update without authentication. When the user requires internet, only then they need to manually go to the captive portal page to login, then go to their intended websites. Automatic redirection to captive portal cannot be supported in this scenario.

    Thanks.

Reply
  • 0 in reply to lferrara

    Luk,

    My client's use case is as follows:

    1. Without authentication, the PCs should be able to access TeamViewer and Windows Update only. No other internet access allowed.

    2. Certain users are given user accounts to access internet. There are 2 groups: A and B. Users from group A have unrestricted access to internet. Users from group B have access to internet except Facebook.

    From what you're saying, please correct me if I'm wrong, I have the following options to implement the above use cases:

    1. Install auth agent in each PC and create user accounts for everyone, then use User Rules to configure policy accordingly.

    2. Use clientlesss, but I thought this is meant for servers/printers use.

    3. LDAP/SSO/RADIUS/eDirectory, this is not an available option at the moment, maybe later.

    4. Without using agent/clientless/SSO, stick to the policies I outlined earlier, but disable redirect to captive portal, so basically all PCs are allowed to access TeamViewer and Windows Update without authentication. When the user requires internet, only then they need to manually go to the captive portal page to login, then go to their intended websites. Automatic redirection to captive portal cannot be supported in this scenario.

    Thanks.

Children
No Data