04-20-2011 12:34 PM
I'm having trouble with a couple url policies. I'm brand new and still playing but this is what I get so far. I've modified the Global Policy so it's set to block "Computers/Communication/Email Related" and "Social/Social Networking" and 2 new policies that allow access related to specific AD groups. In my 2 additional policies what do I set the other categories to or do I leave them at allow. I'm trying figure out what needs to be allowed or blocked in the policies higher up the ladder.
I'm thinking my Global Policy will contain all the blocks that we block ie. email/youtube/facebook etc. Then I create separate policies that allow access. I'm just not sure how to set all the categories in each new policy.
Any help would be greatly appreciated.
04-23-2011 12:40 AM
The IWSVA policies working in next behavior - from up to down and from more specific to more global.
In example - the UserA is member of groupB and GroupB can watch the youtube. And all rest groups can't.
So you need place the first policy - for GroupB allow youtube and in global policy block youtube.
And for each new policy you can set any categories. IWSVA find that user can use youtube (for example) by custom policy and the global policy didn't take place.
04-25-2011 10:58 PM
Your custom policies that you created are what we called User Policies since it applies to specific users, in this case to specific AD groups. Global Policy will only apply to all users that are not covered by a User Policy.
In these case, in your User Policies you can allow only the URL categories that you wanted this AD groups to access. You can even allow only the categories that these users are allowed to have access to then block the rest. Global Policy will only take effect if there are no User-based URL Filtering Policy that apply to the user submitting the request. Best practice is put all the User Policies at the top and the Global Policy at the bottom of the list.
04-26-2011 03:44 PM - edited 04-26-2011 03:56 PM
Having worked with URL filtering since the earlier versions of IWSS, I think the URL filtering policies are definitely an area that could be improved. Policy management is painful.
The main problem is that policies are not cumulative. For example, we have users in a group for Internet access, which has a policy allowing this. Then we have users who need social networking. This needs a second policy almost identical to the Internet one, with one check box different. Then another policy allowing streaming media, then another group allowing social networking AND streaming media.
The problem is this means we need 4 almost-identical policies with minor changes in each. So if we want to change an unrelated setting (eg allow access to Health sites), we have to go into all 4 policies to change it.
I would prefer a firewall-type approach, where you have a global deny, above this a main Internet policy, and then above this more granular settings specific to smaller groups of users. then the policies could cumulatively build the access a user needs, and provide that once it reads all the policies. Why not have another option like IGNORE for all the other settings in the policy, so it then reads these from the next policy that matches the user.
Lastly, considering the current limitations of having to duplicate all our policies for slightly different user access, you should be able to at least copy a policy when wanting to create a new one, rather than have to start from scratch.
Just my 2 cents,
03-07-2012 01:03 PM
I'm about to go under the gun as we'll need to deploy this appliance in the next few months and I'm still having trouble with URL filtering. All the suggestions have been duely noted and continue to help me understand the complexity's of this contraption. Unfortuantely I'm still stuck.
To simplify things her is a scenario:
I have 3 user accounts. Mark.1, Mark.2, and Mark.3
Mark.1 - Regular account with globally allowed internet access.
Mark.2 - Blocked account with zero internet access.
Mark.3 - Restricted account allowed only to specific URLs.
Specific URLs will just be www.yahoo.com for starters. I can always add to this list afterwards.
For URL filtering to work - how would one go about creating the rule set taking into account the global policy settings, as in what should they be also?
03-07-2012 09:25 PM
>>Mark.1 - Regular account with globally allowed internet access.
For Mark.1 you use global policy
>>Mark.2 - Blocked account with zero internet access.
For Mark.2 you create a quota policy with 0MB quota - not URLF policy
>>Mark.3 - Restricted account allowed only to specific URLs.
For Mark.3 you create a URLF policy with allowed custom category that included only yahoo and all rest is blocked
10-10-2012 02:25 AM
I,m new to this so
We've got the following problem
i have 3 internet usergroups the most of them are Citrix users. These groups are configured on the IWSVA 5.6 true active directorie.
Now we have the problem that is a user is in the policy denied internet access and he logon on a PC and works all day on that pc next user comes in with internet access this user can't go on the internet het gets the policy denied access from the former user of that pc. This is happening on the citrix servers as well.
Is this problem solveable.
Is this problem a known problem or a easy one to fix?
Ron den Held
10-11-2012 12:57 PM
Disable IP user cache -