Contents

Related Topics

Configure WebBlocker Policies for Groups with Active Directory Authentication

To allow different levels of access to websites for different groups of users, you must first set up user authentication. You can then configure different WebBlocker settings for each group of users. At a high level, the steps are:

  • Enable and configure Active Directory authentication.
  • Define the user groups to match the user group names on your Active Directory server.
  • Add policies for each user group. The policy includes WebBlocker configuration settings for that group.
  • Remove or modify the default Outgoing policy.
  • Configure authentication settings to automatically redirect users to the WatchGuard authentication page.
  • (Optional) Configure Single Sign-On (SSO).

Example Scenario

To show how to set up this configuration, we use a school that wants to set different levels of web access for three groups:

  • Students (more restricted access)
  • Teachers (less restricted access)
  • IT (unrestricted access)

Configure User Authentication

Before you configure WebBlocker settings, you must set up user authentication. You can use any authentication method, such as Active Directory, local authentication, Radius, or LDAP. For more information about the supported authentication methods, see Authentication Server Types. In this example, we assume the school wants to use Active Directory authentication with Single Sign-On.

Enable Active Directory Authentication

You can use an Active Directory authentication server so that users can authenticate to your Firebox with their current network credentials. Before you configure your device to use Active Directory authentication, make sure your users can successfully authenticate to the Active Directory server.

For this example, we use Policy Manager to configure the device to use the school's Active Directory server at the IP address 10.0.1.100.

  1. Click the Authentication Servers icon.
    Or, select Setup > Authentication > Authentication Servers.
    The Authentication Servers dialog box appears.
  2. Select the Active Directory tab.
    The Active Directory settings appear.
  3. Click Add.
    The Add Active Directory settings appear.

Authentication Servers dialog box - Active Directory tab

  1. In the Domain Name text box, type the domain name to use for this Active Directory server.
  2. Click Add.
    The Add IP/DNS Name dialog box appears.
  3. From the Choose Type drop-down list, select IP Address.
  4. In the Value text box, type the IP address of the primary Active Directory server.
    For this example, type 10.0.1.100.

The Active Directory server can be located on any Firebox interface. You can also configure the device to use an Active Directory server available through a VPN tunnel.

  1. In the Port text box, type or select the TCP port number used to connect to the Active Directory server. The default port number is 389.

If your Active Directory server is a global catalog server, it can be useful to change the default port. For more information, see Change the Default Port for the Active Directory Server.

  1. Click OK.
    The IP address or DNS name you added appears in the Add Active Directory Domain dialog box.
  2. In the Search Base text box, type the location in the directory to begin the search.

The standard format for the search base setting is: ou=<name of organizational unit>,dc=<first part of the distinguished server name>,dc=<any part of the distinguished server name that appears after the dot>.

You set a search base to put limits on the directories on the authentication server the Firebox uses to search for an authentication match. We recommend that you set the search base to the root of the domain. This enables you to find all users and all groups to which those users belong.

For this example, the root domain name in the Active Directory database is example.com, so for the Search Base, we type dc=example,dc=com.

For more information about how to find your search base on the Active Directory server, see Find Your Active Directory Search Base.

  1. In the Group String text box, type the attribute string that is used to hold user group information on the Active Directory server. If you have not changed your Active Directory schema, the group string is always memberOf.
  1. In the DN of Searching User text box, type the distinguished name (DN) for a search operation.

It is not necessary to enter anything in this text box if you keep the login attribute of sAMAccountName. If you change the login attribute, you must add a value in the DN of Searching User field to your configuration. You can use any user DN with the privilege to search LDAP/Active Directory, such as Administrator. However, a weaker user DN with only the privilege to search is usually sufficient.

  1. In the Password of Searching User field, type the password associated with the distinguished name for a search operation.
  2. In the Login Attribute text box, type an Active Directory login attribute to use for authentication.

The login attribute is the name used to connect to the Active Directory database. The default login attribute is sAMAccountName. If you use sAMAccountName, you can leave the DN of Searching User field and the Password of Searching User empty.

  1. Click the Dead Time field up or down arrow to set a time after which an inactive server is marked as active again. Select minutes or hours from the adjacent drop-down list to set the duration.

After an authentication server has not responded for a period of time, it is marked as inactive. Subsequent authentication attempts do not use this server until it is marked as active again.

  1. Click OK.
  2. Save the Configuration File.

Define the Authorized Users and Groups

Before you can use the Active Directory groups in policies, you must use Policy Manager to define the groups in the Firebox configuration. The group names you add must match the groups on your Active Directory server.

  1. Select Setup > Authentication > Authorized Users/Groups.
    The Authorized Users and Groups dialog box appears.
  2. Click Add.
    The Define New Authorized User or Group dialog box appears.

Screen shot of the Define New Authorized User or Group dialog box

  1. In the Name text box, type the name of the group on the Active Directory Server.
    For this example, the students are in the Active Directory group called Students, so we type Students.
  2. (Optional) In the Description text box, type a description of the group.
  3. Make sure that the Type is set to Group.
  4. From the Auth Server drop-down list, select Active Directory.

Repeat these steps to create groups for Teachers and IT.

Create an HTTP-proxy Policy for the Students

The Firebox uses two categories of policies to filter network traffic: packet filters and proxies.

Packet filter policy

A packet filter examines each packet's IP and TCP/UDP header. If the packet header information is permitted by the packet filter settings, then the Firebox allows the packet. Otherwise, the Firebox drops the packet.

Proxy policy

A proxy examines both the header information and the content of each packet. If the packet header information and the content of the packet is allowed by the proxy settings, then the Firebox allows the packet. Otherwise, the Firebox drops the packet.

To block access to categories of websites for a group of users, you must use Policy Manager to create an HTTP proxy policy for those users, and define a WebBlocker action for that policy. The HTTP proxy can then inspect the content and allow or deny the users access to a website based on the WebBlocker categories configured for that policy.

  1. Select Edit > Add Policies.
    The Add Policies dialog box appears.
  2. Expand the Proxies folder and select HTTP-proxy. Click Add.
    The New Policy Properties dialog box appears.

Screen shot of the New Policy Properties dialog box

  1. Change the name of the proxy policy to describe the group it applies to.
    In this example, we call the proxy policy HTTP-proxy-Students.
  2. On the Policy tab, in the From section, click Any-Trusted. Then, click Remove.
  3. In the From section, click Add to add the user group for this policy.
    The Add Address dialog appears.
  4. Click Add User. Select Firewall and Group from the drop-down lists.
    The Add Authorized Users or Groups dialog box appears.

Screen shot of the Add Authorized Users or Groups dialog box

  1. Select the Students group. Click Select, then click OK.
    The New Policy Properties dialog box appears with the group Students in the From section of the policy.

Screen shot of the New Policy Properties dialog box

  1. Click the View/Edit Proxy icon.
    The HTTP Proxy Action Configuration dialog box appears.

Screen shot of the HTTP Proxy Action Configuration dialog box

  1. From the categories list, select WebBlocker.
    The WebBlocker configuration appears.
  2. Adjacent to the WebBlocker drop-down list, click the New/Clone icon.
    The New WebBlocker Configuration dialog box appears.

Screen shot of the New WebBlocker Configuration dialog box

  1. In the Name text box, type a name for this WebBlocker configuration.
    For this example, give this configuration the name Students.
  2. On the Servers tab, select Use the Websense cloud for WebBlocker lookups.
  3. Select the Categories tab to show the categories of content that can be blocked.
  4. Select the check box for each content category that you want to block for users in the Students group.

Create an HTTP-proxy Policy for the Teachers

From Policy Manager, repeat the same steps to set up a different policy for the Teachers group.

  1. Select Edit > Add Policies.
    The Add Policies dialog box appears.
  2. Expand the Proxies folder and select HTTP-proxy. Click Add.
    The New Policy Properties dialog box appears.

New Policy Properties dialog box

  1. Change the name of the proxy policy to describe the group it applies to.
    In this example, we call the proxy policy HTTP-proxy-Teachers.
  2. On the Policy tab, in the From section, click Any-Trusted. Then click Remove to remove it.
  3. In the From section, click Add to add the user group for this policy.
    For this example, add the group Teachers.
  4. Click Add User. Select Firewall and Group from the drop-down lists.
    The Add Authorized Users or Groups dialog box appears.

Add Authorized Users or Groups dialog box

  1. Select the Teachers group. Click Select, then click OK.
    The New Policy Properties dialog box appears with the group Teachers in the From section of the policy.

Screen shot of the New Policy Properties dialog box for the HTTP-proxy-Teachers policy

  1. Click the View/Edit Proxy icon.
    The HTTP Proxy Action Configuration dialog box appears.
  2. From the categories list, select WebBlocker.
    The WebBlocker configuration appears.
  3. Adjacent to the WebBlocker drop-down list, click the New/Clone icon.
    The New WebBlocker Configuration dialog box appears.
  4. In the Name text box, type a name for this WebBlocker configuration.
    In this example, we use the name Teachers.
  5. On the Servers tab, select Use the Websense cloud for WebBlocker lookups.
  6. Select the Categories tab to see the categories of content that can be blocked.

Screen shot of the New WebBlocker Configuration dialog box

  1. Select the check box for each content category that you want to block for users in the Teachers group.
  2. Click OK.

Create an HTTP Packet Filter Policy for the IT Group

The IT team needs unrestricted access to the Internet. Because we do not need a policy to inspect the content of HTTP packets for these users, we use Policy Manager to create an HTTP packet filter policy instead of an HTTP proxy policy.

  1. Select Edit > Add Policies.
    The Add Policies dialog box appears.
  2. Expand the Packet Filters folder and select HTTP. Click Add.
    The New Policy Properties dialog box appears.

New Policy Properties dialog box

  1. Change the name of the proxy policy to describe the group it applies to.
    In this example, we call the proxy policy HTTP-IT.
  2. On the Policy tab, in the From list, select Any-Trusted. Then click Remove to remove it.
  3. In the From section, click Add to add the user group for this policy.
    For this example, add the group IT.
  4. Click Add User. Select Firewall and Group from the drop-down lists.
    The Add Authorized Users or Groups dialog box appears.

Add Authorized Users or Groups dialog box

  1. Select the IT group. Click Select, then click OK.
    The New Policy Properties dialog box appears with the group IT in the From section of the policy.

  1. Click OK.

Members of the IT group are no longer affected by WebBlocker restrictions.

Remove or modify the Outgoing Policy

After you configure your HTTP proxy to add a WebBlocker profile, you must make sure that the default Outgoing policy does not allow network clients to visit websites without user authentication. To make sure your network clients must authenticate before they can browse the Internet, you can use Policy Manager to either remove the Outgoing policy and add any other outgoing network policies you need, or you can edit the Outgoing policy to add your WebBlocker authentication user groups. Both options are explained below.

Option 1: Remove the Outgoing Policy and Add Other Outgoing Network Policies

This is the option we recommend if you want increased control over outbound network access. You must know what ports and protocols are necessary to meet the needs of your organization.

First, remove the Outgoing policy:

  1. Select the Outgoing policy.
  2. Select Edit > Delete Policy.
  3. Click Yes to confirm.

Then, add a DNS packet filter policy to allow outbound DNS queries:

  1. Select Edit > Add Policies.
    The Add Policies dialog box appears.
  2. Expand the Packet Filters folder and select DNS. Click Add.
    The New Policy Properties dialog box appears.
  3. Add all of your internal networks to the From section of the policy.
  4. Click OK to save the policy.

Finally, add other custom policies:

Add custom policies for any other necessary outgoing traffic. Examples of other custom policies you may want to add include:

  • UDP
  • SMTP (if you have a mail server)

For information about how to add a custom policy, see About Custom Policies.

Option 2: Add Your User Authentication Groups to the Outgoing Policy

If you are not sure what other outgoing ports and protocols are necessary for your business, or if you are comfortable with the same level of outbound control you have when you use the default configuration, you can use Policy Manager to modify the Outgoing policy to add your authentication groups.

  1. Double-click the Outgoing policy.
    The Edit Policy Properties dialog box appears.
  2. In the From list, select Any-Trusted. Click Remove.
  3. In the From list, select Any-Optional. Click Remove.
  4. In the From section, click Add.
    The Add Address dialog box appears.
  5. Click Add User. Select Firewall and Group from the drop-down lists.
    The Add Authorized Users or Groups dialog box appears.

Add Authorized Users or Groups dialog box

  1. Select all of the user authentication groups you created. Then click Select.
  2. Click OK.
    The Edit Policy Properties dialog appears for the Outgoing policy. The selected groups appear in the From section of the policy.

Edit Policy Properties dialog box - Outgoing policy

Automatically Redirect Users to the Login Portal

From Policy Manager, you can configure the global authentication settings to automatically send users who have not yet authenticated to the authentication login portal when they try to get access to the Internet.

  1. Select Setup > Authentication > Authentication Settings.
    The Authentication Settings dialog box opens.
  2. Select the Auto redirect users to authentication page for authentication check box.

WebBlocker is now configured to use different policies for different groups of authenticated users, and automatically redirects unauthenticated users to an authentication page.

Configure Single Sign-On (SSO)

When users log on to computers on your network, they must give a user name and password. If you use Active Directory authentication on your Firebox to restrict outgoing network traffic to specified users or groups, they must also log on again when they manually authenticate to the device to access network resources such as the Internet. You can use Single Sign-On (SSO) to have users on the trusted or optional networks automatically authenticate to the Firebox when they log on to their computers.

To use SSO, you must install the SSO agent software on a computer in your domain. For an environment such as a school, where more than one person uses the same computer, we recommend that you install the SSO client software on each computer.

For more information about Single Sign-On, see About Active Directory Single Sign-On (SSO).

See also

Use WebBlocker Actions in Proxy Definitions

About the HTTP-Proxy

Set Global Firewall Authentication Values

Give Us Feedback     Get Support     All Product Documentation     Technical Search