Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How can I setup CFS policies with LDAP and SSO to restrict Internet access on CFS 3.0?

03/26/2020 1,203 People found this article helpful 135,232 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    This article explains about how to integrate Premium Content Filtering Service with LDAP (With Single Sign On) by using SonicOS 6.2.5.3 or older.

    Restricted user group on the active directory is imported to SonicWall and give restricted web access to those users in that group. Wherein the Full Access User group has full access or partial access to websites.

    Image

    Resolution

    1.  In the SonicWall management interface, navigate to Security Services | Content Filter.
    2. Select SonicWall CFS from the Content Filter Type menu, and click Configure.
      Image

      NOTE: Select Content Filter Service from the Content Filter Type menu when using 5.9 and above firmware.
      Image


    3. The SonicWall Filter Properties window is displayed. Go to the Policy tab .
      Image

    4. Make the Default Policy Most Restrictive.

      NOTE: The Default CFS policy is always inherited by every user. To ensure proper content filtering, the Default CFS policy should be configured to be the most restrictive policy, and then each custom policy should be configured to grant privileges that are otherwise restricted by the Default policy.

    5. Edit the Default Policy to make it the most restrictive.

      CAUTION:  if a website is rated in more than one category, in order to block it, only one related category needs to be selected. In such scenario the SonicWall doesn't apply the "less restrictive" logic to avoid a situation where we would need to create exceptions for other sites falling into the additional categories.

    6. Creating Restricted Access CFS Policy for Restricted User Group.Click on Add, Add a Policy for Restricted Group with most of the categories enabled (Depends on what should be Blocked) .

      EXAMPLE: Rrestricted user will have access only to E-mail and Search Engines and Portals category.

        Image  Image

       

    7. Creating a Full Access CFS Policy for Full Access User Group.Add second Policy for the Full Access Group with certain category enabled or all categories enabled (Depends on what should be allowed).

      EXAMPLE: Full Access Users will have access to all the categories.

      Image    Image



     Configuring LDAP on SonicWall

    1. Navigate to Users | Settings page, in the Authentication method for login drop-down list, select LDAP + Local Users and click Configure.Image


      TIP: If you are connected to your SonicWall appliance via HTTP rather than HTTPS, you will see a dialog box warning you of the sensitive nature of the information stored in directory services and offering to change your connection to HTTPS. If you have HTTPS management enabled for the interface to which you are connected (recommended), check the Do not show this message again box and click Yes.

    2. On the Settings tab of the LDAP Configuration window, configure the following fields. 

      Name or IP address: IP address of the LDAP server

      Port Number: 389 (Default LDAP Port)

      Server timeout (seconds): 10 Seconds (Default)

      Overall operation timeout (minutes): 5(Default)

      Select Give login name/location in tree

      Login user name: Specify a user name that has rights to
      log in to the LDAP directory.

      Login Password: The password for the user account 
      specified above

      Protocol Version: LDAPv3

      Use TLS (SSL) : Uncheck (If TLS is not used to
      log in to the LDAP server)

      Image
    3. On the Schema tab, configure the following fields: LDAP Schema:Microsoft Active Directory.
    4. On the Directory tab, configure the following fields.

      • Primary domain:The user domain used by your LDAP implementation.
      • User tree for login to server:The location of where the tree is that the user specified in the settings tab.
      • Click Auto-configure.
      • Select Append to Existing trees and Click OK.

        Image
      • This will populate the Trees containing users and Trees containing user groups fields by scanning through the directories in search of all trees that contain user objects.
    5. On the LDAP Users tab, configure the following fields.
      • Default LDAP User Group : Trusted Group

    6. On the LDAP Test tab, Test a Username and Password in Active directory to make sure that the communication is successful.



    Importing Groups from LDAP to the SonicWall unit

    1. Navigate to Users | Local Groups.
    2. Click Import from LDAP.
      Image

    3. Select the Group in LDAP that has to imported to SonicWall and click Save.
      Image

    4. Click  Configure for the Group that is imported from LDAP.
    5. Go to CFS Policy tab , Select the appropriate CFS Policy from the drop down and Click OK.

     

     

    Configuring Single Sign-On Method on SonicWall 

    1. Navigate to Users | Settings.
    2. In the Single-sign-on method drop-down menu, select SonicWall SSO Agent.
      Image

    3. Click Configure button. The SSO configuration page is displayed.
    4. Under the Settings tab, Click Add button to add the IP address of the work station that has SSO agent running. 

      • Click on the ADD button: settings window is displayed
      • In the Host Name or IP Address field, enter the name or IP Address
        of the workstation on which SonicWall SSO Agent is installed
      • In Port Number, enter the port number of the workstation 
        on which SonicWall SSO Agent is installed.
        The default port is 2258

      • In the Shared Key field, enter the shared key that you 
        created or generated in the SonicWall SSO Agent. 
        The shared key must match exactly. Re-enter the 
        shared key in the Confirm Shared Key field.

      • Click Apply.
         Image
    5. Once the SSO Agent is successfully added, under the Authentication Agent Settings a green light is shown for status.Image

    6. Click Test tab. The Test Authentication Agent Settings page displays.
    7. Select the Check agent connectivity radio button then click the Test button. This will test communication with the authentication agent. If the SonicWall security appliance can connect to the agent, you will see the message Agent is ready.
      Image

    8. Select the Check user radio button, enter the IP address of a workstation in the Workstation IP address field, then click Test. This will test if the agent is property configured to identify the user logged into a workstation.

      NOTE: Performing tests on this page applies any changes that have been made.
      TIP: If you receive the messages Agent is not responding or Configuration error, check your settings and perform these tests again.

    9. When you are finished, click OK. 


    Configuring Single Sign-On Agent on Workstation

    • Configuring the SonicWall SSO Agent Software on workstation .




    Configuring Access Rule for the User Group

    1.  Navigate to Firewall | Access rule, add a Rule form LAN to WAN.

      CAUTION: It is not recommended to do this change on a Production Environment because this changes are instant and can affect all the computers on the LAN. So it is best to schedule a downtime before proceeding further.

    Service: HTTP
    Source: LAN Subnets
    Destination: Any
    User Allowed: Trusted Users
    Schedule : Always On
    Image
      




    Enabling CFS for the LAN Zone

    CAUTION: It is not recommended to do this change on a Production Environment because this changes are instant and can affect all the computers on the LAN. So it is best to schedule a downtime before proceeding further.

    1. Navigate to Network | Zones, click Configure Button for LAN Zone.
    2. Check the box Enforce Content Filtering Service, select the Default CFS Policy from the drop down.
      Image

    How to TEST

    • Log out from the windows domain computer and log in back with a user from either the full access or restricted access groups and check whether the policy is getting enforced correctly for the user.

    Related Articles

    • How can I enable multicast support?
    • Accessing resources across network using Point to Point link
    • Unable to access the junk summary URL using TCP port 10080

    Categories

    • Firewalls > SonicWall SuperMassive E10000 Series > Content Filtering Service
    • Firewalls > SonicWall SuperMassive 9000 Series > Content Filtering Service
    • Firewalls > TZ Series > Content Filtering Service
    • Firewalls > NSa Series > Content Filtering Service
    • Firewalls > NSv Series > Content Filtering Service

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
      Scroll to top
      Trace:63d06900c8ef267d887744bb716d43f8-78