How can I setup CFS policies with LDAP and SSO to restrict Internet access on CFS 3.0?

03/26/2020 1,203 People found this article helpful 133,870 Views

Description

This article explains about how to integrate Premium Content Filtering Service with LDAP (With Single Sign On) by using SonicOS 6.2.5.3 or older.

Restricted user group on the active directory is imported to SonicWall and give restricted web access to those users in that group. Wherein the Full Access User group has full access or partial access to websites.

Resolution

In the SonicWall management interface, navigate to Security Services | Content Filter.
Select SonicWall CFS from the Content Filter Type menu, and click Configure.

NOTE: Select Content Filter Service from the Content Filter Type menu when using 5.9 and above firmware.
The SonicWall Filter Properties window is displayed. Go to the Policy tab .
Make the Default Policy Most Restrictive.

NOTE: The Default CFS policy is always inherited by every user. To ensure proper content filtering, the Default CFS policy should be configured to be the most restrictive policy, and then each custom policy should be configured to grant privileges that are otherwise restricted by the Default policy.
Edit the Default Policy to make it the most restrictive.

CAUTION: if a website is rated in more than one category, in order to block it, only one related category needs to be selected. In such scenario the SonicWall doesn't apply the "less restrictive" logic to avoid a situation where we would need to create exceptions for other sites falling into the additional categories.
Creating Restricted Access CFS Policy for Restricted User Group.Click on Add, Add a Policy for Restricted Group with most of the categories enabled (Depends on what should be Blocked) .

EXAMPLE: Rrestricted user will have access only to E-mail and Search Engines and Portals category.
Creating a Full Access CFS Policy for Full Access User Group.Add second Policy for the Full Access Group with certain category enabled or all categories enabled (Depends on what should be allowed).

EXAMPLE: Full Access Users will have access to all the categories.

Configuring LDAP on SonicWall

Navigate to Users | Settings page, in the Authentication method for login drop-down list, select LDAP + Local Users and click Configure.

TIP: If you are connected to your SonicWall appliance via HTTP rather than HTTPS, you will see a dialog box warning you of the sensitive nature of the information stored in directory services and offering to change your connection to HTTPS. If you have HTTPS management enabled for the interface to which you are connected (recommended), check the Do not show this message again box and click Yes.

On the Settings tab of the LDAP Configuration window, configure the following fields.

Name or IP address: IP address of the LDAP server

Port Number: 389 (Default LDAP Port)

Server timeout (seconds): 10 Seconds (Default)

Overall operation timeout (minutes): 5(Default)

Select Give login name/location in tree

Login user name: Specify a user name that has rights to
log in to the LDAP directory.

Login Password: The password for the user account
specified above

Protocol Version: LDAPv3

Use TLS (SSL) : Uncheck (If TLS is not used to
log in to the LDAP server)

On the Schema tab, configure the following fields: LDAP Schema:Microsoft Active Directory.
On the Directory tab, configure the following fields.
- Primary domain:The user domain used by your LDAP implementation.
- User tree for login to server:The location of where the tree is that the user specified in the settings tab.
- Click Auto-configure.
- Select Append to Existing trees and Click OK.
- This will populate the Trees containing users and Trees containing user groups fields by scanning through the directories in search of all trees that contain user objects.
On the LDAP Users tab, configure the following fields.
- Default LDAP User Group : Trusted Group
On the LDAP Test tab, Test a Username and Password in Active directory to make sure that the communication is successful.

Importing Groups from LDAP to the SonicWall unit

Navigate to Users | Local Groups.
Click Import from LDAP.
Select the Group in LDAP that has to imported to SonicWall and click Save.
Click Configure for the Group that is imported from LDAP.
Go to CFS Policy tab , Select the appropriate CFS Policy from the drop down and Click OK.

Configuring Single Sign-On Method on SonicWall

Navigate to Users | Settings.
In the Single-sign-on method drop-down menu, select SonicWall SSO Agent.
Click Configure button. The SSO configuration page is displayed.
Under the Settings tab, Click Add button to add the IP address of the work station that has SSO agent running.
- Click on the ADD button: settings window is displayed
- In the Host Name or IP Address field, enter the name or IP Address
  of the workstation on which SonicWall SSO Agent is installed
- In Port Number, enter the port number of the workstation
  on which SonicWall SSO Agent is installed.
  The default port is 2258
- In the Shared Key field, enter the shared key that you
  created or generated in the SonicWall SSO Agent.
  The shared key must match exactly. Re-enter the
  shared key in the Confirm Shared Key field.
- Click Apply.
Once the SSO Agent is successfully added, under the Authentication Agent Settings a green light is shown for status.
Click Test tab. The Test Authentication Agent Settings page displays.
Select the Check agent connectivity radio button then click the Test button. This will test communication with the authentication agent. If the SonicWall security appliance can connect to the agent, you will see the message Agent is ready.
Select the Check user radio button, enter the IP address of a workstation in the Workstation IP address field, then click Test. This will test if the agent is property configured to identify the user logged into a workstation.

NOTE: Performing tests on this page applies any changes that have been made.
TIP: If you receive the messages Agent is not responding or Configuration error, check your settings and perform these tests again.
When you are finished, click OK.

Configuring Single Sign-On Agent on Workstation

Configuring the SonicWall SSO Agent Software on workstation .

Configuring Access Rule for the User Group

Navigate to Firewall | Access rule, add a Rule form LAN to WAN.

CAUTION: It is not recommended to do this change on a Production Environment because this changes are instant and can affect all the computers on the LAN. So it is best to schedule a downtime before proceeding further.

Service: HTTP
Source: LAN Subnets
Destination: Any
User Allowed: Trusted Users
Schedule : Always On

Enabling CFS for the LAN Zone

CAUTION: It is not recommended to do this change on a Production Environment because this changes are instant and can affect all the computers on the LAN. So it is best to schedule a downtime before proceeding further.

Navigate to Network | Zones, click Configure Button for LAN Zone.
Check the box Enforce Content Filtering Service, select the Default CFS Policy from the drop down.

How to TEST

Log out from the windows domain computer and log in back with a user from either the full access or restricted access groups and check whether the policy is getting enforced correctly for the user.

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

Capture Cloud Platform

Federal

Partner Portal

Support Portal

Capture Cloud Platform

Federal

Partner Portal

Support Portal

How can I setup CFS policies with LDAP and SSO to restrict Internet access on CFS 3.0?

Description

Resolution

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Stay In Touch