Skip to content


Reply
Stone Talent
MNewton
Posts: 61
Registered: ‎04-12-2011
Accepted Solution

IWSVA - URL Filtering policies

Hey everyone,

I'm having trouble with a couple url policies. I'm brand new and still playing but this is what I get so far. I've modified the Global Policy so it's set to block "Computers/Communication/Email Related" and "Social/Social Networking" and 2 new policies that allow access related to specific AD groups. In my 2 additional policies what do I set the other categories to or do I leave them at allow. I'm trying figure out what needs to be allowed or blocked in the policies higher up the ladder.

 

I'm thinking my Global Policy will contain all the blocks that we block ie. email/youtube/facebook etc. Then I create separate policies that allow access. I'm just not sure how to set all the categories in each new policy.

 

Any help would be greatly appreciated.

Thanks.

Please use plain text.
Affiliate
kirill
Posts: 458
Registered: ‎12-14-2009

Re: IWSVA - URL Filtering policies

Hi,

The IWSVA policies working in next behavior - from up to down and from more specific to more global.

In example - the UserA is member of groupB and GroupB can watch the youtube. And all rest groups can't.

So you need place the first policy - for GroupB allow youtube and in global policy block youtube.

And  for each new policy you can set any categories. IWSVA find that user can use youtube (for example) by custom policy and the global policy didn't take place.

 

Kirill


I am a Trend Micro Affiliate Emeritus. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience. Now posting as KirillGelfand.
Please use plain text.
Trend Micro Employee
blue
Posts: 2
Registered: ‎04-25-2011

Re: IWSVA - URL Filtering policies

Hi,

 

Good Day!

 

Your custom policies that you created are what we called User Policies since it applies to specific users, in this case to specific AD groups. Global Policy will only apply to all users that are not covered by a User Policy.


In these case, in your User Policies you can allow only the URL categories that you wanted this AD groups to access. You can even allow only the categories that these users are allowed to have access to then block the rest. Global Policy will only take effect if there are no User-based URL Filtering Policy that apply to the user submitting the request. Best practice is put all the User Policies at the top and the Global Policy at the bottom of the list.

 

Regards

 

 


I am a Trend Micro employee. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.
Stone Emissary
gap1
Posts: 5
Registered: ‎01-05-2011

Re: IWSVA - URL Filtering policies

[ Edited ]

Hi,

Having worked with URL filtering since the earlier versions of IWSS, I think the URL filtering policies are definitely an area that could be improved. Policy management is painful.

The main problem is that policies are not cumulative. For example, we have users in a group for Internet access, which has a policy allowing this. Then we have users who need social networking. This needs a second policy almost identical to the Internet one, with one check box different. Then another policy allowing streaming media, then another group allowing social networking AND streaming media.
The problem is this means we need 4 almost-identical policies with minor changes in each. So if we want to change an unrelated setting (eg allow access to Health sites), we have to go into all 4 policies to change it.

I would prefer a firewall-type approach, where you have a global deny, above this a main Internet policy, and then above this more granular settings specific to smaller groups of users. then the policies could cumulatively build the access a user needs, and provide that once it reads all the policies. Why not have another option like IGNORE for all the other settings in the policy, so it then reads these from the next policy that matches the user.

Lastly, considering the current limitations of having to duplicate all our policies for slightly different user access, you should be able to at least copy a policy when wanting to create a new one, rather than have to start from scratch.

Just my 2 cents,
Grant.

Please use plain text.
Stone Talent
MNewton
Posts: 61
Registered: ‎04-12-2011

Re: IWSVA - URL Filtering policies

I'm about to go under the gun as we'll need to deploy this appliance in the next few months and I'm still having trouble with URL filtering. All the suggestions have been duely noted and continue to help me understand the complexity's of this contraption. Unfortuantely I'm still stuck.

 

To simplify things her is a scenario:

I have 3 user accounts. Mark.1, Mark.2, and Mark.3

 

Mark.1 - Regular account with globally allowed internet access.

Mark.2 - Blocked account with zero internet access.

Mark.3 - Restricted account allowed only to specific URLs.

 

Specific URLs will just be www.yahoo.com for starters. I can always add to this list afterwards.

 

For URL filtering to work - how would one go about creating the rule set taking into account the global policy settings, as in what should they be also?

 

Thanks.

Mark 

Please use plain text.
Affiliate
kirill
Posts: 458
Registered: ‎12-14-2009

Re: IWSVA - URL Filtering policies

Hi,

 

>>Mark.1 - Regular account with globally allowed internet access.

For Mark.1 you use global policy

>>Mark.2 - Blocked account with zero internet access.

For Mark.2 you create a quota policy with 0MB quota - not URLF policy

>>Mark.3 - Restricted account allowed only to specific URLs.

For Mark.3 you create a URLF policy with allowed custom category that included only yahoo and all rest is blocked

 

Kirill

 


I am a Trend Micro Affiliate Emeritus. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience. Now posting as KirillGelfand.
Please use plain text.
Stone Esquire
tnlrdh
Posts: 3
Registered: ‎10-10-2012

Re: IWSVA - URL Filtering policies

Hi All,

 

I,m new to this so

 

We've got the following problem

i have 3 internet usergroups the most of them are Citrix users. These groups are configured on the IWSVA 5.6 true active directorie.

Now we have  the problem that is a user is in the policy denied internet access and he logon on a PC and works all day on that pc  next user comes in with internet access this user can't go on the internet het gets the policy denied access from the former user of that pc. This is happening on the citrix servers as well.

Is this problem solveable.

Is this problem a known problem or a easy one to fix?

 

 

Wit Regards,

 

Ron den Held

 

 

Please use plain text.
Affiliate
kirill
Posts: 458
Registered: ‎12-14-2009

Re: IWSVA - URL Filtering policies

Disable IP user cache -

  1. Log on to IWSVA as root.
  2. Set the following parameter in the /etc/iscan/intscan.ini file:

    enable_ip_user_cache=no
     
  3. Restart the IWSVA HTTP daemon using the following commands:

    /usr/iwss/S99ISproxy stop
    /usr/iwss/S99ISproxy start

Kirill


I am a Trend Micro Affiliate Emeritus. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience. Now posting as KirillGelfand.
Please use plain text.
Stone Esquire
tnlrdh
Posts: 3
Registered: ‎10-10-2012

Re: IWSVA - URL Filtering policies

Is this a workaround and is Trend working on a fix for this?

 

 

Ron

Please use plain text.