Hi,

The IWSVA policies working in next behavior - from up to down and from more specific to more global.

In example - the UserA is member of groupB and GroupB can watch the youtube. And all rest groups can't.

So you need place the first policy - for GroupB allow youtube and in global policy block youtube.

And  for each new policy you can set any categories. IWSVA find that user can use youtube (for example) by custom policy and the global policy didn't take place.

Kirill

Hi,

Good Day!

Your custom policies that you created are what we called User Policies since it applies to specific users, in this case to specific AD groups. Global Policy will only apply to all users that are not covered by a User Policy.

In these case, in your User Policies you can allow only the URL categories that you wanted this AD groups to access. You can even allow only the categories that these users are allowed to have access to then block the rest. Global Policy will only take effect if there are no User-based URL Filtering Policy that apply to the user submitting the request. Best practice is put all the User Policies at the top and the Global Policy at the bottom of the list.

Regards

Hi,

Having worked with URL filtering since the earlier versions of IWSS, I think the URL filtering policies are definitely an area that could be improved. Policy management is painful.

The main problem is that policies are not cumulative. For example, we have users in a group for Internet access, which has a policy allowing this. Then we have users who need social networking. This needs a second policy almost identical to the Internet one, with one check box different. Then another policy allowing streaming media, then another group allowing social networking AND streaming media.
The problem is this means we need 4 almost-identical policies with minor changes in each. So if we want to change an unrelated setting (eg allow access to Health sites), we have to go into all 4 policies to change it.

I would prefer a firewall-type approach, where you have a global deny, above this a main Internet policy, and then above this more granular settings specific to smaller groups of users. then the policies could cumulatively build the access a user needs, and provide that once it reads all the policies. Why not have another option like IGNORE for all the other settings in the policy, so it then reads these from the next policy that matches the user.

Lastly, considering the current limitations of having to duplicate all our policies for slightly different user access, you should be able to at least copy a policy when wanting to create a new one, rather than have to start from scratch.

Just my 2 cents,
Grant.

I'm about to go under the gun as we'll need to deploy this appliance in the next few months and I'm still having trouble with URL filtering. All the suggestions have been duely noted and continue to help me understand the complexity's of this contraption. Unfortuantely I'm still stuck.

To simplify things her is a scenario:

I have 3 user accounts. Mark.1, Mark.2, and Mark.3

Mark.1 - Regular account with globally allowed internet access.

Mark.2 - Blocked account with zero internet access.

Mark.3 - Restricted account allowed only to specific URLs.

Specific URLs will just be www.yahoo.com for starters. I can always add to this list afterwards.

For URL filtering to work - how would one go about creating the rule set taking into account the global policy settings, as in what should they be also?

Thanks.

Mark 

Hi,

 

>>Mark.1 - Regular account with globally allowed internet access.

For Mark.1 you use global policy

>>Mark.2 - Blocked account with zero internet access.

For Mark.2 you create a quota policy with 0MB quota - not URLF policy

>>Mark.3 - Restricted account allowed only to specific URLs.

For Mark.3 you create a URLF policy with allowed custom category that included only yahoo and all rest is blocked

 

Kirill

Hi All,

I,m new to this so

We've got the following problem

i have 3 internet usergroups the most of them are Citrix users. These groups are configured on the IWSVA 5.6 true active directorie.

Now we have  the problem that is a user is in the policy denied internet access and he logon on a PC and works all day on that pc  next user comes in with internet access this user can't go on the internet het gets the policy denied access from the former user of that pc. This is happening on the citrix servers as well.

Is this problem solveable.

Is this problem a known problem or a easy one to fix?

Wit Regards,

Ron den Held

Disable IP user cache -

1. Log on to IWSVA as root.
2. Set the following parameter in the /etc/iscan/intscan.ini file:
   
   enable_ip_user_cache=no
    
3. Restart the IWSVA HTTP daemon using the following commands:
   
   /usr/iwss/S99ISproxy stop
   /usr/iwss/S99ISproxy start

Kirill

Is this a workaround and is Trend working on a fix for this?

Ron