LDAP Leveraging LDAP Groups/ Users with SonicWALL UTM Appliance Contents Contents ...
10 Step 10: On the LDAP Users tab, configure the following fields: • Allow only users listed locally – Requires that LDAP users also be present in t
11 In the LDAP Import User Groups dialog box, select the checkbox for each group that you want to import into the SonicWALL, and then click Save. Hav
12 Step 11: On the LDAP Relay tab, configure the following fields: The RADIUS to LDAP Relay feature is designed for use in a topology where there is
13 configurable. Step 12: Select the Test tab to test the configured LDAP settings: The Test LDAP Settings page allows for the configured LDAP settin
14 Logon to Appliance – Configuring User Level Authentication Settings This is the other method of authenticating users, and requires the user to logi
15 Step 5: Click Add, then create the following two rules as depicted below. The order is important. The new first rule allows any DNS queries out. T
16 NOTE: The difference between “All” and “Everyone” in a policy rule. Selecting “All” will allow all matching traffic, regardless from an authenticat
17 If everything is working correctly, you should then see users authenticated on the Log>View page. SonicOS Options That Leverage Groups/User
18 • Rule processing stops as soon as there is a match (with some caveats – see below) • Rule logic first looks at Source, then Destination, Service
19 allowed access through it. Matching traffic from the user or members of the user group will be given access, and matching traffic from anyone else
2 Blocking IM Traffic Categorically... 51
20 Firewall Rules with Bandwidth Management & Logging It is possible to leverage FW rules simply for logging and/or bandwidth management (BWM).
21 After BWM is enabled on the WAN interface, a new tab is displayed within FW rule creation: the Ethernet BWM tab. You can now enable BWM on a rule b
22 NOTE: You can create a firewall rule for any given user/group and restrict that group’s overall bandwidth for any network service/protocol. Consid
23 Step 2: Create an AO for yahoo.com. Step 3: Now, create an AO Group and add the appropriate AOs to this group.
24 Step 4: Next, create an FW rule that will deny traffic to the Blocked Sites AO Group. Allowing Specific Domains and Blocking All Others with Fi
25 Step 2: Create an AO for Mysonicwall.com. While using a FQDN is often more “friendly”, in this example we’ve chosen the IP address. Step 2: Cre
26 Step 4: Create a rule to allow HTTP traffic for your allowed lists.
27 Step 5: Do the same for HTTPS.
28 Step 6: Create the deny rules for HTTP and HTTPS.
29 The firewall rules should now look like the below picture: NOTE: that the downside to using FW rules to block/allow websites is that if a user
3 Integrating LDAP/Active Directory with Sonicwall UTM SonicOS supports a range of different LDAP servers, the most popular being Active Directory (A
30 Blocking HTTPS (SSL) Domains with SSL Control With Secure Socket Layer (SSL) Control it is possible to whitelist and blacklist HTTPS domains, as we
31 ever decreasing cost and complexity of SSL, however, has also spurred the growth of more dubious applications of SSL, designed primarily for the pu
32 Step 1: To configure the Whitelist and Blacklist navigate to Firewall > SSL control > click the Configure button to bring up the following wi
33 Applying Different CFS Policies to Groups It is important to understand what CFS is capable of (as of SonicOS 5.2). CFS is a subscription based s
34 CFS has the ability to allow or block domains by their fully qualified domain name (FQDN) or by keywords in their FQDN. This functionality does no
35 NOTE: If you wish to forbid or allow HTTPS domains, use of their IP address must be used in CFS. FQDN does not work for HTTPS sites in the CFS Cu
36 Step 1: Under the CFS tab, enable the IP based HTTPS content filtering. This enables CFS for HTTPS domains. This is important if you wish to bloc
37 Step 3: Create a friendly name for the new policy. Step 4: Navigate to the URL List tab and select the categories you want to block or allow for
38 default of “moderate” to “strict” filtering on Google however. Step 6: Select if you want the CFS Policy to only run at certain times of the
39 Step 7: Next navigate to Users > Local Groups and configure the Group you want the new CFS policy to apply to. Step 8: Select the CFS policy
4 Exporting the CA Certificate from the Active Directory Server To export the CA certificate from the AD server: Step 1: Launch the Certification Auth
40 Step 1: Navigate to Network > Network Interfaces. Configure the respective interfaces you wish to support local authentication on by enabling H
41 Basic Sample Code for SonicOS 5.2 ----*snipped*---- (with virtual scissors ☺ ) <tr><td align=center nowrap><font size="2"
42 NOTE: Use caution the website you are redirecting isn’t on the CFS list or blocked domains. It would create a looping situation. <html>
43 </div> </div> <div id="popup_box_text"> <table align=center cellpadding=5 width=80%> <tr><td align=cente
44 Sample JavaScript Code for SonicOS 5.2 In this example, “blockedURL” is the variable that references the URL the client was trying to browse to. I
45 Applying Application Firewall Polices to Groups/Users Application Firewall is a very flexible tool to manage application specific traffic. The go
46 When looking for a HTTP Host, you can get specific with a FQDN or leave it more general with a partial match. With the below example, websites wi
47 Step 3: Navigate to Policies and add a new policy. Give the policy a friendly name. Select the Application Object that was just created “Blocked
48 When a user attempts to navigate to monster.com, they will be presented with a page cannot be displayed message. Alternatively, you can have the
49 Step 6: Navigate to Application Firewall > Policies and change the action from reset/drop to the new custom action. If you wish to display
5 Step 5: On the Settings tab of the LDAP Configuration window, configure the following fields: • Name or IP Address – The FQDN or the IP addres
50 Tightening Control over the Browsing Behavior of Users Now that we’ve looked at the different ways to restrict browsing and web behavior through d
51 • Turn on Gateway AV and Antispyware – turn all settings on. If you really want to block everything, the most drastic step you can take is to unpl
52 NOTE: You can change the Prevention and Detection from the global settings and adjust other settings such as the schedule when the signature is en
53 Applying VPN Access Policies to Groups/Users SonicOS 5.2 supports 2 VPN clients; Global VPN Client (GVC), an IPSec client and NetExtender, a SSL-V
54 NOTE: Depending on how you setup your group membership, being a member of this group does not automatically grant those users VPN access. Step
55 SSL-VPN (NetExtender) SonicOS 5.2 introduces SSL VPN functionality via NetExtender. NetExtender is a light weight client that can run on Windows,
56 Guest Services (Wireless Guest Services) SonicOS supports Guest Services. Guest services are typically used in wireless hotspot deployments, but t
57 It’s not that hard of a stretch to see that if you are using LDAP integration, you could essentially build guest accounts and profiles in LDAP and
6 • Send LDAP ‘Start TLS’ Request – Some LDAP server implementations support the Start TLS directive rather than using native LDAP over TLS. This all
7 Selecting any of the predefined schemas will automatically populate the fields used by that schema with their correct values. Selecting ‘User Defi
8 • Primary Domain – The user domain used by your LDAP implementation. For AD, this will be the Active Directory domain name, e.g. yourADdomain.com.
9 trees are best ordered with those on the primary server first, and the rest in the same order that they will be referred. NOTE: When working with AD
Komentarze do niniejszej Instrukcji