How to target and whitelist facebook for marketing user?

Sorry but I have to unlock a user for Facebook inside our company network.
We have blocked facebook for all, which works fine.

Now just one marketing user need facebook for work and i want to whitelist this user so he can do his work on fb.
We do not use any AD-User Authentication and want it to stay this way. Anyway, users do authenticate over SSL-VPN with email and password, so i tried to unblock the VPN-User cause he should be clear authenticated to the network. (VPN connection works inside or outside the company without problems.)

Is there a way to whitelist a User simply with his IP or his VPN-User Account inside the network?

Under WEB Protection > Application Control > we have a Rule that blocks all facebook users. (works)

Block Facebook Rule and on top unblock the VPN user from Marketing

I tried to add at the same place a Rule with whitelist (allow) the specific VPN-User and a Testuser (Robert) and put them on top, but facebook is still blocked when the specific user is connected with VPN. (See Screenshot)  Just when i deactivate the 2nd Rule (facebook block all users) facebook is loading again, but then for all users.

I also added for testing a new user and gave him his Laptop internal IP adress (Robert) but it did not work also for this user.

Testuser entered internal IP adress

Why is the new "1 unblock marketing" rule not working inside Application Control or is there a better way to handle this?

Parents
  • Several things...

    Static Remote Access IPs only work with PPTP and L2TP/IPsec - not with SSL VPN.

    Assigning a Static Remote Access IP in the subnet of "Internal (Network)" will cause routing problems.

    My usual recommendation is for internal subnets to be in the 172.16.0.0/12 range.  Reserve 192.168.0.0/16 for public hotspots and home users.  Reserve anything in 10.0.0.0/8 for giant multinationals, ISPs, etc.

    There's no advantage to having different user names for VPN access - that only adds complexity

    Assuming that you have a user "Robert" that you want to allow access in App Ctrl, the "Robert (User Network)" object will only be populated if he connects via VPN or signs in with the Client Authentication app.  Then, your first App Ctrl rule will "take."

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Several things...

    Static Remote Access IPs only work with PPTP and L2TP/IPsec - not with SSL VPN.

    Assigning a Static Remote Access IP in the subnet of "Internal (Network)" will cause routing problems.

    My usual recommendation is for internal subnets to be in the 172.16.0.0/12 range.  Reserve 192.168.0.0/16 for public hotspots and home users.  Reserve anything in 10.0.0.0/8 for giant multinationals, ISPs, etc.

    There's no advantage to having different user names for VPN access - that only adds complexity

    Assuming that you have a user "Robert" that you want to allow access in App Ctrl, the "Robert (User Network)" object will only be populated if he connects via VPN or signs in with the Client Authentication app.  Then, your first App Ctrl rule will "take."

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data