Configure WebBlocker Actions for Groups with Active Directory Authentication

To allow different levels of access to websites for different groups of users, you must first set up user authentication. You can then configure different WebBlocker settings for each group of users. At a high level, the steps are:

  • Enable and configure Active Directory authentication.
  • Define the user groups to match the user group names on your Active Directory server.
  • Add policies for each user group. The policy includes WebBlocker action to use for that group.
  • Remove or modify the default Outgoing policy.
  • Configure authentication settings to automatically redirect users to the WatchGuard authentication page.
  • (Optional) Configure Single Sign-On (SSO).

Example Scenario

To show how to set up this configuration, we use a school that wants to set different levels of web access for three groups:

  • Students (more restricted access)
  • Teachers (less restricted access)
  • IT (unrestricted access)

Configure User Authentication

Before you configure WebBlocker settings, you must set up user authentication. You can use any authentication method, such as Active Directory, local authentication, Radius, or LDAP. For more information about the supported authentication methods, see Authentication Server Types. In this example, we assume the school wants to use Active Directory authentication with Single Sign-On.

Enable Active Directory Authentication

You can use an Active Directory authentication server so that users can authenticate to your Firebox with their current network credentials. Before you configure your device to use Active Directory authentication, make sure your users can successfully authenticate to the Active Directory server.

For this example, we use Policy Manager to configure the device to use the school's Active Directory server at the IP address 10.0.1.100.

  1. Click the Authentication Servers icon.
    Or, select Setup > Authentication > Authentication Servers.
    The Authentication Servers dialog box appears.
  2. Select the Active Directory tab.
    The Active Directory settings appear.
  3. Click Add.
    In Fireware v12.3 or higher, the Active Directory wizard appears.
  4. To use the wizard to configure the Active Directory settings, click Next.
  5. In the Domain Name text box, type the domain name to use for this Active Directory server.

Screen shot of the domain name settings in the Active Directory wizard

  1. Click Next.
  2. In the Server Address text box, type the IP address or DNS name of the primary Active Directory server.
    For this example, type 10.0.1.100.
    The Active Directory server can be located on any Firebox interface. You can also configure the device to use an Active Directory server available through a VPN tunnel.
  3. Click Next.
  4. Click Edit the Active Directory domain settings.
  5. Click Finish.
    The Edit Active Directory Domain Settings dialog box appears.
  6. In the Port text box, type or select the TCP port number used to connect to the Active Directory server. The default port number is 389.
    If your Active Directory server is a global catalog server, it can be useful to change the default port. For more information, see Change the Default Port for the Active Directory Server.
  7. In the Timeout text box, type a value in seconds.
  8. Click the Dead Time up or down arrow to set a time after which an inactive server is marked as active again. Select minutes or hours from the adjacent drop-down list to set the duration.
    After an authentication server has not responded for a period of time, it is marked as inactive. Additional authentication attempts do not use this server until it is marked as active again.
  9. In the Search Base text box, type the location in the directory to begin the search.

The standard format for the search base setting is: ou=<name of organizational unit>,dc=<first part of the distinguished server name>,dc=<any part of the distinguished server name that appears after the dot>.

You set a search base to put limits on the directories on the authentication server the Firebox uses to search for an authentication match. We recommend that you set the search base to the root of the domain. This enables you to find all users and all groups to which those users belong.

For this example, the root domain name in the Active Directory database is example.com, so for the Search Base, we type dc=example,dc=com.

For more information about how to find your search base on the Active Directory server, see Find Your Active Directory Search Base.

  1. In the Group String text box, type the attribute string that is used to hold user group information on the Active Directory server. If you have not changed your Active Directory schema, the group string is always tokenGroups.
  2. In the Login Attribute text box, type an Active Directory login attribute to use for authentication.
    The login attribute is the name used to connect to the Active Directory database. The default login attribute is sAMAccountName. If you use sAMAccountName, you can leave the DN of Searching User field and the Password of Searching User empty.
  1. In the DN of Searching User text box, type the distinguished name (DN) for a search operation.

It is not necessary to enter anything in this text box if you keep the login attribute of sAMAccountName. If you change the login attribute, you must add a value in the DN of Searching User field to your configuration. You can use any user DN with the privilege to search LDAP/Active Directory, such as Administrator. However, a weaker user DN with only the privilege to search is usually sufficient.

  1. In the Password of Searching User text box, type the password associated with the distinguished name for a search operation.

Authentication Servers dialog box - Active Directory tab

  1. Click OK.
  2. Save the Configuration File.

Define the Users and Groups

Before you can use the Active Directory groups in policies, you must define the groups in the Firebox configuration from Policy Manager. The group names you add must match the groups on your Active Directory server.

If a user is already logged in when you add a new group to the Firebox configuration, the user is not associated with that group by the Firebox until the next time the user logs in to the Firebox.

  1. Select Setup > Authentication > Users and Groups.
    The Users and Groups dialog box appears.
  2. Click Add.
    The Add User or Group dialog box appears.

Screen shot of the Define New Authorized User or Group dialog box

  1. In the Name text box, type the name of the group on the Active Directory Server.
    For this example, the students are in the Students Active Directory group, so we type Students.
  2. (Optional) In the Description text box, type a description of the group.
  3. Make sure that the Type is set to Group.
  4. From the Auth Server drop-down list, select Active Directory.

Repeat these steps to create groups for Teachers and IT.

Create an HTTP-proxy Policy for the Students

The Firebox uses two categories of policies to filter network traffic: packet filters and proxies.

Packet filter policy

A packet filter examines each packet's IP and TCP/UDP header. If the packet header information is permitted by the packet filter settings, then the Firebox allows the packet. Otherwise, the Firebox drops the packet.

Proxy policy

A proxy examines both the header information and the content of each packet. If the packet header information and the content of the packet is allowed by the proxy settings, then the Firebox allows the packet. Otherwise, the Firebox drops the packet.

To deny access to categories of websites for a group of users, you must use Policy Manager to create an HTTP proxy policy for those users, and define a WebBlocker action for that policy. The HTTP proxy can then inspect the content and allow or deny the users access to a website based on the WebBlocker action configured for that policy.

  1. Select Edit > Add Policies.
    The Add Policies dialog box appears.
  2. Expand the Proxies folder and select HTTP-proxy. Click Add.
    The New Policy Properties dialog box appears.

Screen shot of the New Policy Properties dialog box

  1. Change the name of the proxy policy to describe the group it applies to.
    For this example, we name the proxy policy HTTP-proxy-Students.
  2. On the Policy tab, in the From section, click Any-Trusted. Click Remove.
  3. In the From section, click Add to add the user group for this policy.
    The Add Address dialog appears.
  4. Click Add User. Select Firewall and Group from the drop-down lists.
    The Add Users or Groups dialog box appears.

Screen shot of the Add Authorized Users or Groups dialog box

  1. Select the Students group. Click Select. Click OK.
    The New Policy Properties dialog box appears with the group Students in the From section of the policy.

Screen shot of the New Policy Properties dialog box

  1. Click the View/Edit Proxy icon.
    The HTTP Proxy Action Configuration dialog box appears.

Screen shot of the HTTP Proxy Action Configuration dialog box

  1. From the Categories list, select WebBlocker.
    The WebBlocker configuration appears.
  2. Next to the WebBlocker drop-down list, click the New/Clone icon.
    The Clone WebBlocker Action dialog box appears.

Screen shot of the Clone WebBlocker Action dialog box

  1. In the Name text box, type a name for this WebBlocker action.
    For this example, give type Students.
  2. On the Categories tab, in the Deny column, select the check box for each content category to deny for users in the Students group.
  3. Click OK.

Create an HTTP-proxy Policy for the Teachers

From Policy Manager, repeat the same steps to set up a different policy for the Teachers group.

  1. Select Edit > Add Policies.
    The Add Policies dialog box appears.
  2. Expand the Proxies folder and select HTTP-proxy. Click Add.
    The New Policy Properties dialog box appears.

New Policy Properties dialog box

  1. Change the name of the proxy policy to describe the group it applies to.
    For this example, we name the proxy policy HTTP-proxy-Teachers.
  2. On the Policy tab, in the From section, click Any-Trusted. Click Remove.
  3. In the From section, click Add to add the user group for this policy.
    For this example, add the group Teachers.
  4. Click Add User. Select Firewall and Group from the drop-down lists.
    The Add Users or Groups dialog box appears.

Add Authorized Users or Groups dialog box

  1. Select the Teachers group. Click Select. Click OK.
    The New Policy Properties dialog box appears with the group Teachers in the From section of the policy.

Screen shot of the New Policy Properties dialog box for the HTTP-proxy-Teachers policy

  1. Click the View/Edit Proxy icon.
    The HTTP Proxy Action Configuration dialog box appears.
  2. From the Categories list, select WebBlocker.
    The WebBlocker configuration appears.
  3. Next to the WebBlocker drop-down list, click the New/Clone icon.
    The New WebBlocker Configuration dialog box appears.
  4. In the Name text box, type a name for this WebBlocker configuration.
    For this example, type Teachers.

Screen shot of the Clone WebBlocker Action dialog box

  1. On the Categories tab, in the Deny column, select the check box for each content category to deny for users in the Teachers group.
  2. Click OK.

Create an HTTP Packet Filter Policy for the IT Group

The IT team needs unrestricted access to the Internet. Because we do not need a policy to inspect the content of HTTP packets for these users, we use Policy Manager to create an HTTP packet filter policy instead of an HTTP-proxy policy.

  1. Select Edit > Add Policies.
    The Add Policies dialog box appears.
  2. Expand the Packet Filters folder and select HTTP. Click Add.
    The New Policy Properties dialog box appears.

New Policy Properties dialog box

  1. Change the name of the proxy policy to describe the group it applies to.
    For this example, we name the proxy policy HTTP-IT.
  2. On the Policy tab, in the From list, select Any-Trusted. Click Remove.
  3. In the From section, click Add to add the user group for this policy.
    For this example, add the group IT.
  4. Click Add User. Select Firewall and Group from the drop-down lists.
    The Add Users or Groups dialog box appears.

Add Authorized Users or Groups dialog box

  1. Select the IT group. Click Select. Click OK.
    The New Policy Properties dialog box appears with the group IT in the From section of the policy.

  1. Click OK.

Members of the IT group are no longer affected by WebBlocker restrictions.

Remove or Modify the Outgoing Policy

After you configure your HTTP proxy to add a WebBlocker profile, you must make sure that the default Outgoing policy does not allow network clients to visit websites without user authentication. To make sure your network clients must authenticate before they can browse the Internet, you can use Policy Manager to either remove the Outgoing policy and add any other outgoing network policies you need, or you can edit the Outgoing policy to add your WebBlocker authentication user groups. Both options are explained below.

Option 1 — Remove the Outgoing Policy and Add Other Outgoing Network Policies

This is the option we recommend if you want increased control over outbound network access. You must know what ports and protocols are necessary to meet the needs of your organization.

First, remove the Outgoing policy:

  1. Select the Outgoing policy.
  2. Select Edit > Delete Policy.
  3. Click Yes to confirm.

Then, add a DNS packet filter policy to allow outbound DNS queries:

  1. Select Edit > Add Policies.
    The Add Policies dialog box appears.
  2. Expand the Packet Filters folder and select DNS. Click Add.
    The New Policy Properties dialog box appears.
  3. Add all of your internal networks to the From section of the policy.
  4. Click OK to save the policy.

Finally, add other custom policies:

Add custom policies for any other necessary outgoing traffic. Examples of other custom policies you may want to add include:

  • UDP
  • SMTP (if you have a mail server)

For information about how to add a custom policy, see About Custom Policies.

Option 2 — Add Your User Authentication Groups to the Outgoing Policy

If you are not sure what other outgoing ports and protocols are necessary for your business, or if you are comfortable with the same level of outbound control you have when you use the default configuration, you can use Policy Manager to modify the Outgoing policy to add your authentication groups.

  1. Double-click the Outgoing policy.
    The Edit Policy Properties dialog box appears.
  2. In the From list, select Any-Trusted. Click Remove.
  3. In the From list, select Any-Optional. Click Remove.
  4. In the From section, click Add.
    The Add Address dialog box appears.
  5. Click Add User. Select Firewall and Group from the drop-down lists.
    The Add Users or Groups dialog box appears.

Add Authorized Users or Groups dialog box

  1. Select all of the user authentication groups you created. Click Select.
  2. Click OK.
    The Edit Policy Properties dialog appears for the Outgoing policy. The selected groups appear in the From section of the policy.

Edit Policy Properties dialog box - Outgoing policy

Automatically Redirect Users to the Login Portal

From Policy Manager, you can configure the global authentication settings to automatically send users who have not yet authenticated to the authentication login portal when they try to get access to the Internet.

  1. Select Setup > Authentication > Authentication Settings.
    The Authentication Settings dialog box opens.
  2. Select the Auto redirect users to authentication page for authentication check box.

WebBlocker is now configured to use different policies for different groups of authenticated users, and automatically redirects unauthenticated users to an authentication page.

Configure Single Sign-On (SSO)

When users log on to computers on your network, they must give a user name and password. If you use Active Directory authentication on your Firebox to restrict outgoing network traffic to specified users or groups, they must also log on again when they manually authenticate to the device to access network resources such as the Internet. You can use Single Sign-On (SSO) to have users on the trusted or optional networks automatically authenticate to the Firebox when they log on to their computers.

To use SSO, you must install the SSO Agent software on a computer in your domain. For an environment such as a school, where more than one person uses the same computer, we recommend that you install the SSO Client software on each computer.

For more information about Single Sign-On, see How Active Directory SSO Works.

See Also

Use WebBlocker Actions in Proxy Definitions

About the HTTP-Proxy

Set Global Firewall Authentication Values