I am trying to create a filter to allow full access to all websites without much luck. We are running AWS 7.305 using eDir authentication (edir 8.7.3.9) Currently we have three filter assignments/actions--one for students, two for staff depending on time of day--that have been working well for several months. I tried adding another filter assignment to allow all, but it is still being blocked. Here's what I did: [LIST=1] created a group in eDir and added users to the group created group in AWS, backend membership with eDir the backend type and added the eDir group to the list of users/groups created a filter action to allow by default and leave unchecked all of the boxes for categories to block, including uncategorized created a filter assignment using the filter action from #2, time is "always" and added the group from #1 added the filter assignment from #3 to the proxy profile being used by the other filter assignments. I placed the open access filter assignment last, being the least restrictive. [/LIST] Users in the open group are not in any of the other groups assigned to the profile. But they are still being blocked from some websites. Did I miss some important part of the setup process? I didn't set up the original profiles. Also, is there way to tell from the log files which filter actiion is being applied? I don't even really have a handle on which filter action is causing the blocking. Thanks for any insight you can give on this.

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Filter with full access

I am trying to create a filter to allow full access to all websites without much luck.

We are running AWS 7.305 using eDir authentication (edir 8.7.3.9)

Currently we have three filter assignments/actions--one for students, two for staff depending on time of day--that have been working well for several months. I tried adding another filter assignment to allow all, but it is still being blocked. Here's what I did:

[LIST=1]

created a group in eDir and added users to the group
created group in AWS, backend membership with eDir the backend type and added the eDir group to the list of users/groups
created a filter action to allow by default and leave unchecked all of the boxes for categories to block, including uncategorized
created a filter assignment using the filter action from #2, time is "always" and added the group from #1
added the filter assignment from #3 to the proxy profile being used by the other filter assignments. I placed the open access filter assignment last, being the least restrictive.

[/LIST]
Users in the open group are not in any of the other groups assigned to the profile. But they are still being blocked from some websites.

Did I miss some important part of the setup process? I didn't set up the original profiles. Also, is there way to tell from the log files which filter actiion is being applied? I don't even really have a handle on which filter action is causing the blocking.

Thanks for any insight you can give on this.

This thread was automatically locked due to age.

Parents

0 BAlfson over 17 years ago

Are the clients' browsers pointed at the Astaro proxy? If the people are using transparent mode, then they aren't authenticated into the group you created.

Yes, the HTTP log does show which filter was applied.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 dschaalm over 17 years ago in reply to BAlfson

Yes, the clients' browsers are pointing to the Astaro proxy. They are not using transparent mode. The original filters work as intended, but I can't get this new one to work for some reason.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 17 years ago in reply to dschaalm

There is a trick in the definition of the user group. In the definition, contrary to what the manual says, you must NOT use the FQDN of the eDir group; just use the name (CN) without "CN=" and all of the other stuff. If you drag an eDir group into the box when you define the Astaro group, the Astaro mistakenly fills in the entire FQDN.

Is that it?

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 17 years ago in reply to dschaalm

There is a trick in the definition of the user group. In the definition, contrary to what the manual says, you must NOT use the FQDN of the eDir group; just use the name (CN) without "CN=" and all of the other stuff. If you drag an eDir group into the box when you define the Astaro group, the Astaro mistakenly fills in the entire FQDN.

Is that it?

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 dschaalm over 17 years ago in reply to BAlfson

That's interesting, because I have five other groups and they all have the leading cn= and they all work correctly. Only this new one does not. I'll try removing that and see what happens.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 17 years ago in reply to dschaalm

I'm sorry, I should have explained that this is a problem in the Astaro Active Directory implementation. It may not be a problem in eDir SSO.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel