Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 0 subscribers
  • Views 16041 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web appliance - Additional policy still applies after user removed from AD group

ComputerTester

I am testing the VM appliance. 

The organisation requires that Facebook be blocked for all users, except members of the online communications team. 

The default policy blocks the "Personals and Dating category.

Facebook is classified as "Personals and Dating"

An AD group has been created called "Allow Facebook"

I have added the site to the local site list and tagged it as "Social Networking"

I have created an additional policy to allow members of the AD group to allow sites tagged as "Social Networking" 

Users in the group are able to access Facebook.com

I remove the user from the group, and log them off and back on, they can still access Facebook.com

If I run the Policy Test with the user removed from the group, the site is still allowed.

If I run the Policy Test with a user who has never been in the group, the site is blocked.  

Why could this be? Something to do with groups not syncronising in good time? Can anyone help please?

Thanks.

:34653


This thread was automatically locked due to age.
  • 0

    You may just not be waiting long enough.  The appliance won't recognize your AD change until its next sync with AD.  I'm not sure what the interval is, but you can force a sync from the Configuration->System->Active Directory page.

    :34655
  • 0

    Thank you. Synchronising has solved the problem. 

    Does anyone know how frequently this is done automatically?

    I have a number of sites that I need to block which are part of categories which by default are allowed. 

    I have tested with a newly created account and it does not apply those block policies until a sync has been done. It looks like for the duration of the first login, if done before a sync, none of the policies will apply. I had also hoped for support staff to be able to just add a user to a group to allow a site, and not also have to tell them to wait X minutes. 

    Other web filtering products I have used monitored the DCs for logon events and updated the group membership accordingly. Does anyone know if using this along with the Endpoint client will make any difference?

    Thanks again. 

    :34657
  • 0

    Hi Guys,

    The appliance by default syncs with AD every two hours.  Group membership is pulled in via an LDAP sync.

    If you do plan to manage this by changing group memberships in AD, then the endpoint Web Control feature should help - group membership will be calculated on the endpoint.

    Thanks,

    Tom.

    :34693
  • 0

    Thanks Tom. Are you aware of any way to change the default time?

    :34801
  • 0

    Sure, this setting can be changed, but currently only by our support teams.  Please enable remote assistance (Help > Sophos support) and log a ticket with them.

    - Tom.

    :34805