Integration of LDAP Groups or Local Groups and Content Filtering without Single Sign On
03/26/2020
1192
23838
DESCRIPTION:
To watch a video tutorial on this topic, click here.
This article explains about how to integrate Premium Content Filtering Service with LDAP, while not using the Single-Sign On service. In order for the SonicWall to know what Content Filtering Policies to apply for a session it either needs to have the policy set by IP address or have a user authenticate against it. This can be a Local User or an LDAP User, for this article we'll be examining LDAP Users.
RESOLUTION:
Enabling HTTPS Login for LAN Interface
TIP: This step can be used for any Zone, not just the LAN. Make sure to Enable HTTPS Login for every Zone that you need Users to Authenticate from!
CAUTION: It is possible to follow this setup using HTTP but this is highly insecure, not recommended, and thus not explicitly detailed in this article.
- Log into the SonicWall and navigate to Manage | Network | Interfaces | LAN then click Configure button. Select HTTPS under User Login.

Configuring LDAP on SonicWall (If You're Using Local Groups Only Skip This Step)
Configuring the Local/LDAP Groups
- [For Local Groups] Navigate to Manage | Users | Local Groups. From here you can click Add and choose either Import Groups from LDAP or create Local Groups which reside on the SonicWall.
- [For LDAP Groups] Navigate to Manage | Users | Settings | Configure LDAP | Users & Groups and select Import User Groups.


Creating Local Groups
- Click Add and include a Name on the Settings Tab.
- On the Members tab move Users or Groups from the left to the right.
- Click OK.


Importing LDAP Groups
- Click Import User Groups and choose Import User Groups from the LDAP directory. Choose an LDAP Server to Import from under Where to import from.
- Click OK.

Configuring Content Filter and Policies
Configuring Access Rule for the User Group
Now that we have our Groups either Imported or created and also applied to our CFS Policies we need to create a way for users to authenticate against the SonicWall. Since we're not using Single Sign On we will have to force users to signing to the SonicWall directly.
While Users can navigate to the SonicWalls IP address manually and login this is a cumbersome solution. Instead it's possible to create an access rule which redirects Users to the SonicWall and forces them to Authenticate.
First we need to create an Access Rule to allow DNS:
- Click Add again and set the From and To Zones to be the same as they were in the previous Access Rule.
- Fill in the rest of the Access Rule as shown below (Substitute your own Group for the one shown).

TIP: It's possible to create a Service Group and combine HTTP, HTTPS, and any other Services you'd like and only use one Access Rule. This is a recommended Best Practice.
CAUTION: Ensure that this access rule is the #2 Priority under the Zone to Zone page.
How to Test
From a Host on one of the Zones where you have setup both Content Filtering and the required Access Rules try to access any website. The SonicWall should redirect the request and request the User to login.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
Enabling HTTPS Login for LAN Interface
TIP: This step can be used for any Zone, not just the LAN. Make sure to Enable HTTPS Login for every Zone that you need Users to Authenticate from!
CAUTION: It is possible to follow this setup using HTTP but this is highly insecure, not recommended, and thus not explicitly detailed in this article.
- Log into the SonicWall and navigate to Network | Interfaces | LAN then click the Configure button. Select HTTPS under User Login.

Configuring LDAP on SonicWall (If You're Using Local Groups Only Skip This Step)
Configuring the Local/LDAP Groups
- Navigate to Users | Local Groups. From here you can either Import Groups from LDAP or create Local Groups which reside on the SonicWall.

Creating Local Groups
- Click Add Group and include a Name on the Settings tab.
- On the Members Tab move Users or Groups from the left to the right.
- Click OK.


Importing LDAP Groups
- Click Import from LDAP and choose Import user groups from the LDAP directory.
- On the popup window select the Groups you'd like to Import from those available. You can select multiple Groups at once.
- Click Save Selected.

Configuring Content Filter and Policies
Configuring Access Rule for the User Group
Now that we have our Groups either Imported or Created and also applied to our CFS Policies we need to create a way for users to Authenticate against the SonicWall. Since we're not using Single Sign On we will have to force users to signing to the SonicWall directly.
While Users can navigate to the SonicWalls IP address manually and login this is a cumbersome solution. Instead it's possible to create an Access Rule which redirects Users to the SonicWall and forces them to Authenticate.
First we need to create an Access Rule to allow DNS
- Click Add again and set the From and To Zones to be the same as they were in the previous access rule.
- Fill in the rest of the access rule as shown below (Substitute your own Group for the one shown).

TIP: It's possible to create a Service Group and combine HTTP, HTTPS, and any other Services you'd like and only use one Access Rule. This is a recommended Best Practice.
CAUTION: Ensure that this Access Rule is the #2 Priority under the Zone to Zone page.
How to Test
From a Host on one of the Zones where you have setup both Content Filtering and the required Access Rules try to access any website. The SonicWall should redirect the request and show a screen similar to the below image.
