Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 5895 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best Way To Do Our Web Filters

DuncanNewell

So, im looking for ideas on the best way to setup our UTM's for web proxy.  We are a large organisation, so looking for the best/easy way to this. 

Our web proxy is used by various internal customers, who all have different requirements.

Currently have it set in standard mode, using AD groups.

For example :-

Customer 1 by default blocks all social media.  But they want 20 staff to access Facebook and Twitter.

Customer 1 by default blocks all streaming media. But they want 20 staff to access YouTube.

The staff who need YouTube may also need Facebook but no Twitter for example so a wide mix. 

The issue is that user John Smith lets say, is a member of "All Customer 1 Staff" so it matches the 1st rule we have that he is in.

We have separate AD groups currently for YouTube, Facebook etc as we use these on TMG. 

At the moment, during testing, we have a policy rule for each customer, which says block social media and block streaming media, but how can we do it so that certain users can access certain sites, I dont mind creating rules for each one, as there is probably only 20 exceptions.  Problem is the first rule that matches the user is processed, so how do we get around that.

At the moment we use TMG so we have rules that allow Facebook and Twitter etc and block the rest and TMG processes rules as they are matched so not an issue. 



This thread was automatically locked due to age.
  • 0

    The way to do this is with Exceptions, Duncan.  Block Social Media and Streaming Media for everyone.  Make an Exception for each Backend Group going to a REGEX for the URL allowed.

    The alternative is to make more AD Security Groups where, for example, someone allowed Facebook and Twitter is not in a Group with someone allowed only Facebook.  I think the Exceptions will be clearer and easier to manage.

    Cheers - Bob

    PS you might want to take a look at Configuring HTTP/S proxy access with AD SSO.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi,

    Thanks for the advise.  Not used the "Exceptions" before, but will look into this as a possible solution.

    I guess this is "Exceptions" and then "Coming from these users/groups" and specify the group there, with "and" and "going to these URL's" or I guess using the "Tags" will work as I currently use Tags, for different customers, as it saves time with lots of rules.

    Thanks, Duncan

    Thanks, Duncan

  • 0 in reply to BAlfson

    Just tested this way with mail.yahoo.com and the block seems to be overriding the exception

    So for example, be default all mail is blocked.  So I created the Exception

    I have tried "Matching These URL's" and used ^https?://mail\.yahoo\.com I have also tried using a TAG here to mail.yahoo.com but no luck (Tags work ok in other rules) and "Coming From these users..." and added my group here that the test account is a member of, but no luck.

    I'm not sure about the "Skip these checks" options It said I had to select 1 at least (not sure why, seems irrelevant in this case) so it just selected "Extension blocking" as a test.

     

    2017:02:27-13:59:04 dc1-utm-2 httpproxy[18336]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="172.16.216.192" dstip="" user="xxxxtest" group="Allow Access To Yahoo mail" ad_domain="XXXDOMAIN" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3216" request="0xa4988000" url="https://mail.yahoo.com/" referer="" error="" authtime="92" dnstime="0" cattime="0" avscantime="0" fullreqtime="212407" device="0" auth="2" ua="Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" exceptions="fileextension" overridecategory="1" overridereputation="1" category="156" reputation="trusted" categoryname="Web Mail" reason="category"

    Thanks, Duncan

  • 0 in reply to DuncanNewell

    exceptions="fileextension"

    Please post a picture of the Exception that was supposed to allow this access.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi

    Thanks for the reply.  Not to sure what you mean by exceptions="fileextension"

    But I have tried an "Exception" under "Filtering Options" as follows.  But it seems to say blocked by the Filter/Policy

    Thanks, Duncan

  • 0 in reply to DuncanNewell

    Ahhh, forget that might have sussed it now.  Looks like the group had not fully sync'd for some reason, the tags and expressions seem to work now.

    Can I confirm does it hit the Exceptions first or the actual block on the filter ? Just curious was not 100% sure.  

    Thanks, Duncan

  • 0 in reply to DuncanNewell

    I don't understand how having an Exception for 'Extension blocking' would allow this traffic if it's blocked elsewhere, but we didn't see how you accomplish that. Are you sure that the traffic is blocked for others?

    Yes, Exceptions take precedence over the other settings.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML