Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 5 subscribers
  • Views 1151 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Singling out specific AD group to block specific websites

Christoph Müller

Hey guys,

I have a rather specific request regarding WebFiltering.

We have a customer that wants to block specific streaming platforms due to bandwidth issues - normally I would point at a management issue rather than technically solving the problem but needs must and customer is king, yada yada yada.

At least the issue is interesting and I have not found how to do this best in the forums. Since I am not that versed with the WebFilter I thought it best to put this to the community for suggestions.

Our customer was using the WebFilter only with very basic settings. Filtering was enabled on all local networks, without any authentication.
Now with this issue coming up, we probably need to rework the WebFilter completely.
A specific user group (via AD check) should be blocked from watching video streams while we leave everything else alone (if possible).

Already I am thinking on how the WebFilter will handle this. In my mind it is very likely that the Default Filter, having basically no restrictions, will always adressed first and thus any further configuration will be for the crapper. Am I right in that thinking?
Our customer was very quick to mention that there were groups of people that use some of the blocked sites for actual work and must not be blocked from them.

TL,DR:
User has WebFilter active
Wants to have specific filter rule for one AD Group
Everything else should stay as is
Possible?


Thanks in advance folks



This thread was automatically locked due to age.
  • +1

    Hello again,

     

    I also discussed this with our distributors support team.
    What we came up with was creating a new profile (Web Protection => Web Filter Profiles => New Profile) and in the new profile we allow the corresponding network with Standard operating mode and AD SSO Authentiocation.

    In that Profile we add a new policy we filter for AD Group and add a filter action for the stuff our customer wants to block.

    Anything that does not correspond to the AD Group should still be handled by the Base Policy

     

    Customer is currently in testing

    Cheers
    ~Chris

  • 0 in reply to Christoph Müller

    Yes.   See the WiKi section, and the articles pinned to the top of the Web Filtering forum for additional resources.

    Potential complications if decrypt-and-scan is disabled:

    • The path, querystring, and NTLM information is hidden in the encrypted portion of the packet
      • UTM can only filter on the FQDN, since that is all that it sees.
      • UTM assumes the user is the same as the last HTTP request from the same IP.   If there was no previous HTTP packet, the request will be handled as unauthenticated.  To minimize problem, you might want to add an internet-bound http request to the startup pages of your browsers, so that the user gets authenticated immediately.

    Potential complications if decrypt-and-scan is enabled:

    • Websites may behave differently or break when UTM originates the request, particularly if they are using a Java or ActiveX plug-in.
    • UTM supports fewer ciphersuites then do the major browsers, so UTM will be unable to connect to some websites that only permit the newest ciphersuites
  • 0 in reply to Christoph Müller

    Hallo Chris,

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML