How to setup CFS policies with LDAP and SSO to restrict internet access

How to setup CFS policies with LDAP and SSO to restrict internet access (SW7782)

Was this article helpful?

  • Title

How to setup CFS policies with LDAP and SSO to restrict internet access

  • Description

Using Multiple Custom content Filter policies with LDAP and SSO to restrict Internet access (CFS + LDAP + SSO)

  • Resolution

This article explains about how to integrate Premium Content Filtering Service with LDAP (With Single Sign On).

Restricted user group on the active directory is imported to SonicWALL and give restricted web access to those users in that group. Wherein the Full Access User group has full access or partial access to websites

Click To See Full Image.

Deployment Steps

 To integrate Premium Content Filtering Service with LDAP, follow these steps:

Step 1: Configuring Content Filter and Policies
Step 2: Configuring LDAP on SonicWALL
Step 3: Importing Groups from LDAP to SonicWALL unit
Step 4: Configuring SSO on SonicWALL
Step 5: Configuring Single Sign on Agent on Workstation
Step 6: Configuring Access Rule for the User Group
Step 7: Enabling CFS on the LAN Zone

Procedure:

Step 1: Configuring Content Filter and Policies

1. In the SonicWALL management interface, select Security Services > Content Filter

2. Select SonicWALL CFS from the Content Filter Type menu, and click Configure.



Note. Select Content Filter Service from the Content Filter Type menu when using 5.9 and above firmware.



3. The SonicWALL Filter Properties window is displayed. Go to the Policy tab 



4. Make the Default Policy Most Restrictive.

Note: The Default CFS policy is always inherited by every user. To ensure proper content filtering, the Default CFS policy should be configured to be the most restrictive policy, and then each custom policy should be configured to grant privileges that are otherwise restricted by the Default policy.

Edit the Default Policy to make it the most restrictive


Please note that if a website is rated in more than one category, in order to block it, only one related category needs to be selected. In such scenario the SonicWALL doesn't apply the "less restrictive" logic to avoid a situation where we would need to create exceptions for other sites falling into the additional categories.


5. Creating Restricted Access CFS Policy for Restricted User Group

Click on Add, Add a Policy for Restricted Group with most of the categories enabled (Depends on what should be blocked) 
Eg: Restricted user will have access only to E-mail and Search Engines and Portals category.
 

6. Creating a Full Access CFS Policy for Full Access User Group

Add second Policy for the Full Access Group with certain category enabled or all categories enabled (Depends on what should be allowed)
Eg: Full Access Users will have access to all the categories

 Step 2: Configuring LDAP on SonicWALL

1. Go to Users > Settings page, in the Authentication method for login drop-down list, select LDAP + Local Users and Click Configure.



If you are connected to your SonicWALL appliance via HTTP rather than HTTPS, you will see a dialog box warning you of the sensitive nature of the information stored in directory services and offering to change your connection to HTTPS. If you have HTTPS management enabled for the interface to which you are connected (recommended), check the “Do not show this message again” box and click Yes.

2. On the Settings tab of the LDAP Configuration window, configure the following fields 

Name or IP address: IP address of the LDAP server

Port Number: 389 (Default LDAP Port)

Server timeout (seconds): 10 Seconds (Default)

Overall operation timeout (minutes): 5(Default)

Select Give login name/location in tree

Login user name: Specify a user name that has rights to
log in to the LDAP directory.

Login Password: The password for the user account 
specified above

Protocol Version: LDAPv3

Use TLS (SSL) : Uncheck (If TLS is not used to
log in to the LDAP server)

3. On the Schema tab, configure the following fields: LDAP Schema:Microsoft Active Directory

4. On the Directory tab, configure the following fields:
 
Primary domain:The user domain used by your LDAP implementation
User tree for login to server:The location of where the tree is that the user specified in the settings tab
Click on Auto-configure
Select Append to Existing trees and Click OK.

Click To See Full Image.



This will populate the Trees containing users and Trees containing user groups fields by scanning through the directories in search of all trees that contain user objects.

5. On the LDAP Users tab, configure the following fields:
              Default LDAP User Group: Trusted Group

6. On the LDAP Test tab, Test a Username and Password in Active directory to make sure that the communication is successful.


Step 3: Importing Groups from LDAP to the SonicWALL unit

1. Go to Users > Local Groups

2. Click on Import from LDAP

Click To See Full Image.



3. Select the Group in LDAP that has to imported to SonicWALL and Click Save

Click To See Full Image.

 

4. Click on Configure button for the Group that is imported from LDAP.
5. Go to CFS Policy tab, Select the appropriate CFS Policy from the drop down and Click OK

 Step 4: Configuring Single Sign-On Method on SonicWALL

1. Navigate to Users > Settings.
2. In the Single-sign-on method drop-down menu, select SonicWALL SSO Agent.



3. Click Configure button.The SSO configuration page is displayed.
4. Under the Settings tab, Click on the Add button to add the IP address of the work station that has SSO agent running.

Click on the ADD button
Under the ADD button , Settings window is displayed

In the Host Name or IP Address field, enter the name or IP Address
of the workstation on which SonicWALL SSO Agent is installed

In Port Number, enter the port number of the workstation 
on which SonicWALL SSO Agent is installed.
The default port is 2258

In the Shared Key field, enter the shared key that you 
created or generated in the SonicWALL SSO Agent. 
The shared key must match exactly. Re-enter the 
shared key in the Confirm Shared Key field.

Click Apply

Click To See Full Image.

5. Once the SSO Agent is successfully added, under the Authentication Agent Settings a green light is shown for status 



6. Click the Test tab. The Test Authentication Agent Settings page displays.
7. Select the Check agent connectivity radio button then click the Test button. This will test communication with the authentication agent. If the SonicWALL security appliance can connect to the agent, you will see the message Agent is ready.

Click To See Full Image.



8. Select the Check user radio button, enter the IP address of a workstation in the Workstation IP address field, and then click Test. This will test if the agent is property configured to identify the user logged into a workstation.

Note: Performing tests on this page applies any changes that have been made.

Tip: If you receive the messages Agent is not responding or Configuration error, check your settings and perform these tests again.

9. When you are finished, click OK

Step 5. Configuring Single Sign-On Agent on Workstation

Refer Article :- UTM: Configuring the SonicWALL SSO Agent Software on workstation


Step 6: Configuring Access Rule for the User Group

 Go to Firewall > Access rule, add a Rule form LAN to WAN

Caution: It is not recommended to do this change on a Production Environment because this changes are instant and can affect all the computers on the LAN. So it is best to schedule a downtime before proceeding further.

Service: HTTP
Source: LAN Subnets
Destination: Any
User Allowed: Trusted Users
Schedule : Always On

Click To See Full Image.



Step 7: Enabling CFS for the LAN Zone

Caution: It is not recommended to do this change on a Production Environment because this changes are instant and can affect all the computers on the LAN. So it is best to schedule a downtime before proceeding further.

Go to Network > Zones, click on Configure Button for LAN Zone
Check the box Enforce Content Filtering Service, select the Default CFS Policy from the drop down.

How to TEST

Log out from the windows domain computer and log in back with a user from either the full access or restricted access groups and check whether the policy is getting enforced correctly for the user.

v

 

Comments

Post a Comment

Popular posts from this blog

How to install XIbo?

Image
How to install Xibo on Windows 10 64 bit What is Xibo? XIbo is open source signage software, Xibo Digital Signage is a low-cost, high performance solution to launch your business, workplace or organisation into the future. Xibo doesn’t just replicate print media, but actively increases engagement allowing you to deliver your message more effectively than ever before What is  Digital signage?  Digital signage is a sub-segment of electronic signage. Digital displays use technologies such as LCD, LED, projection and e-paper to display digital images, video, web pages, weather data, restaurant menus, or text.  Wikipedia How to install Xibo on Windows 10. It is very easy to install the Xibo on windows 10 x64 bit os with docker. Below is the step to install the Xibo. ð   Step 1.   Download the docker for windows 10 x64,  Link to download Docker ð   Step 2. Install the Docker. Double-click  Docker for Windows Installer  to run the installer
Read more

How to install - Snipe-IT, Free IT Asset manager software

Image
 Snipe-IT, IT Free Asset manager Software. S nipe-IT was made for IT asset management, to enable IT departments to track who has which laptop, when it was purchased, which software licenses and accessories. Pre-requisite 1) Wamp Webserver - Download Link 2)  composer  - Download Link Step 1.  Install Composer 2) Install Wamp  create database snipeit; show databases; Create user snipe_user; grant all on snipeit.* to 'snipe_user' @ 'localhost' identified by 'password123' ; Extract and configure Snipe-IT and run composer https://snipeitapp.com/download Download and exact Snipe-IT to c:\wamp\www\snipe-it. Edit  .env.example See the  Configuration  options for more information on how to configure your Snipe-IT installation. Save your edited  env.example  as  .env Open command prompt then change directory to  c:\wamp\www\snipe-it\ . Then ru
Read more

Get information about SSL protocols

Image
  Get the information about the SSL version using and strength by utilizting the SSL Disagnos SSL Diagnos is used to test SSL strength; Get information about SSL protocols (pct, ssl2, ssl3, tls, dtls) and cipher suites. It can also be used for testing and rating ciphers on SSL clients. It has also specific support for pop3s, sip, smtp and explicit ftps. Tests for heartbleed (including dtls). Furthermore a separate tool, SSLPressure, not using openssl can be used to check the whole spectrum of possible SSL protocols on a server. Can also be used for testing ssl for mssql-servers (was added since nessus did not support this) and contains mitm poc for stripping ssl from mssql-connections. Features SSL scanner including rating of SSL cipher suite strength for server and clients Test SSL strength in for example https, smtp, sip, pop3s, ftps Can be used for OWASP-CM-001 Uses OpenSSL to test ssl2, ssl3, tls, dtls, explicit ftps Tests renegotiation and availability
Read more