How can I setup CFS policies with LDAP and SSO to restrict Internet access on CFS 3.0?

03/26/2020 1186 29325

DESCRIPTION:

This article explains about how to integrate Premium Content Filtering Service with LDAP (With Single Sign On) by using SonicOS 6.2.5.3 or older.

Restricted user group on the active directory is imported to SonicWall and give restricted web access to those users in that group. Wherein the Full Access User group has full access or partial access to websites.

RESOLUTION:

1.  In the SonicWall management interface, navigate to Security Services | Content Filter.
2. Select SonicWall CFS from the Content Filter Type menu, and click Configure.
   
   
   

   NOTE: Select Content Filter Service from the Content Filter Type menu when using 5.9 and above firmware.
   

   
   
3. The SonicWall Filter Properties window is displayed. Go to the Policy tab .
   
   
   
4. Make the Default Policy Most Restrictive.
   
   

   NOTE: The Default CFS policy is always inherited by every user. To ensure proper content filtering, the Default CFS policy should be configured to be the most restrictive policy, and then each custom policy should be configured to grant privileges that are otherwise restricted by the Default policy.
   
   

5. Edit the Default Policy to make it the most restrictive.
   

   CAUTION:  if a website is rated in more than one category, in order to block it, only one related category needs to be selected. In such scenario the SonicWall doesn't apply the "less restrictive" logic to avoid a situation where we would need to create exceptions for other sites falling into the additional categories.

6. Creating Restricted Access CFS Policy for Restricted User Group.Click on Add, Add a Policy for Restricted Group with most of the categories enabled (Depends on what should be Blocked) .
   
   

   EXAMPLE: Rrestricted user will have access only to E-mail and Search Engines and Portals category.
   
   

    

7. Creating a Full Access CFS Policy for Full Access User Group.Add second Policy for the Full Access Group with certain category enabled or all categories enabled (Depends on what should be allowed).
   
   

   EXAMPLE: Full Access Users will have access to all the categories.

 Configuring LDAP on SonicWall

1. Navigate to Users | Settings page, in the Authentication method for login drop-down list, select LDAP + Local Users and click Configure.
   
   
   

   TIP: If you are connected to your SonicWall appliance via HTTP rather than HTTPS, you will see a dialog box warning you of the sensitive nature of the information stored in directory services and offering to change your connection to HTTPS. If you have HTTPS management enabled for the interface to which you are connected (recommended), check the Do not show this message again box and click Yes.
   
   

2. On the Settings tab of the LDAP Configuration window, configure the following fields. 
   
   

   Name or IP address: IP address of the LDAP server Port Number: 389 (Default LDAP Port) Server timeout (seconds): 10 Seconds (Default) Overall operation timeout (minutes): 5(Default) Select Give login name/location in tree Login user name: Specify a user name that has rights to log in to the LDAP directory. Login Password: The password for the user account  specified above Protocol Version: LDAPv3 Use TLS (SSL) : Uncheck (If TLS is not used to log in to the LDAP server)

3. On the Schema tab, configure the following fields: LDAP Schema:Microsoft Active Directory.
4. On the Directory tab, configure the following fields.
   
   
   • Primary domain:The user domain used by your LDAP implementation.
   • User tree for login to server:The location of where the tree is that the user specified in the settings tab.
   • Click Auto-configure.
   • Select Append to Existing trees and Click OK.
     
     
   • This will populate the Trees containing users and Trees containing user groups fields by scanning through the directories in search of all trees that contain user objects.
5. On the LDAP Users tab, configure the following fields.
   
   • Default LDAP User Group : Trusted Group
     
     
6. On the LDAP Test tab, Test a Username and Password in Active directory to make sure that the communication is successful.

Importing Groups from LDAP to the SonicWall unit

1. Navigate to Users | Local Groups.
2. Click Import from LDAP.
   
   
   
3. Select the Group in LDAP that has to imported to SonicWall and click Save.
   
   
   
4. Click  Configure for the Group that is imported from LDAP.
5. Go to CFS Policy tab , Select the appropriate CFS Policy from the drop down and Click OK.

Configuring Single Sign-On Method on SonicWall 

1. Navigate to Users | Settings.
2. In the Single-sign-on method drop-down menu, select SonicWall SSO Agent.
   
   
   
3. Click Configure button. The SSO configuration page is displayed.
4. Under the Settings tab, Click Add button to add the IP address of the work station that has SSO agent running. 
   
   
   • Click on the ADD button: settings window is displayed
   • In the Host Name or IP Address field, enter the name or IP Address
     of the workstation on which SonicWall SSO Agent is installed
   • In Port Number, enter the port number of the workstation 
     on which SonicWall SSO Agent is installed.
     The default port is 2258
     
     
   • In the Shared Key field, enter the shared key that you 
     created or generated in the SonicWall SSO Agent. 
     The shared key must match exactly. Re-enter the 
     shared key in the Confirm Shared Key field.
     
     
   • Click Apply.
      
5. Once the SSO Agent is successfully added, under the Authentication Agent Settings a green light is shown for status.
   
   
6. Click Test tab. The Test Authentication Agent Settings page displays.
7. Select the Check agent connectivity radio button then click the Test button. This will test communication with the authentication agent. If the SonicWall security appliance can connect to the agent, you will see the message Agent is ready.
   
   
   
8. Select the Check user radio button, enter the IP address of a workstation in the Workstation IP address field, then click Test. This will test if the agent is property configured to identify the user logged into a workstation.
   
   NOTE: Performing tests on this page applies any changes that have been made.
   TIP: If you receive the messages Agent is not responding or Configuration error, check your settings and perform these tests again.
   
   
9. When you are finished, click OK. 
   
   
   

Configuring Single Sign-On Agent on Workstation

• Configuring the SonicWall SSO Agent Software on workstation .

Configuring Access Rule for the User Group

1.  Navigate to Firewall | Access rule, add a Rule form LAN to WAN.
   
   

   CAUTION: It is not recommended to do this change on a Production Environment because this changes are instant and can affect all the computers on the LAN. So it is best to schedule a downtime before proceeding further.

Service: HTTP Source: LAN Subnets Destination: Any User Allowed: Trusted Users Schedule : Always On

Enabling CFS for the LAN Zone

CAUTION: It is not recommended to do this change on a Production Environment because this changes are instant and can affect all the computers on the LAN. So it is best to schedule a downtime before proceeding further.

1. Navigate to Network | Zones, click Configure Button for LAN Zone.
2. Check the box Enforce Content Filtering Service, select the Default CFS Policy from the drop down.
   
   
   

How to TEST

• Log out from the windows domain computer and log in back with a user from either the full access or restricted access groups and check whether the policy is getting enforced correctly for the user.