Hi all, due to aging hardware and end of life support our firm has decided to move from MS Forefront TMG 2010 to Sophos UTM
We are currently on what I believe to be the latest version 9.106-17 running on a UTM 320 device
I am trying to replicate what we currently have set up on our current TMG system. The scenario is as follows:
Certain categories are blocked for everyone (e.g. Drugs and Nudity).
Certain categories are blocked for everyone EXCEPT users that are members of the groups "TMG Exceptions - Social Networking" and "TMG Exceptions - Video Streaming" (the names are legacy and will be changed before the unit goes into production). There are more than just two exception groups but I'll just focus on these two.
Additionally there are some time restrictions but I won't touch that until this is sorted.
At first I thought it would be a simple case of setting the exceptions via a new exception list under the "Exceptions" tab in "Web Filtering". I set a rule skipping "URL Filter" going to the categories of "Social Networking" coming from the users/groups "TMG Exceptions - Social Networking" but this didn't seem to have any affect.
Then I had a look at Web Filtering options and read through the Sophos supplied documentation and searched the forums here to get an idea on how it should be set up (and yes I looked at that flowchart in the UTM Web Filtering page as well). At first I thought I could create a simple "allow only" rule for Social networking when a user is a member of "TMG Exceptions - Social Networking" so they can access Facebook but still be blocked from the really nasty stuff. I have since learnt this is wrong and I have to actually recreate ALL the categories I wish to block for everyone EXCEPT Social Networking. I tested this and it worked although I consider it incredibly cumbersome. Please see the attached screen shots for how I configured this.
Now this introduces another problem. Say someone is a member of both "TMG Exceptions - Social Networking" and "TMG Exceptions - Video Streaming". If they want to get to Youtube.com they would be successfully matched against the Social Networking rule (as they are a member) which doesn't allow Video Streaming and the subsequent rules will not be evaluated. To get around this I would have to create new groups for every conceivable combination of group memberships and create custom Filter assignments and actions for those!
Can somebody please tell me if 1) There is a more simple way to allow access to blocked content based on membership in Active Directory groups & 2) How you would can get around the issue of evaluation other rules if the group membership in filter assignments IS matched but the site category IS NOT matched.
I feel like I am either taking crazy pills or I have misunderstood something very simple.[:S]
Many thanks
This thread was automatically locked due to age.
