Customizing the Sonicwall Content Filter
Tweaking our Sonicwall Gear Continues, and I have to say it responds quite well to our ever changing needs. Several of our ministries needed our content filtering tweaked for their needs but IT and our Leadership team didn’t want to open entire categories in the filter to allow specific sites across the board especially since are using that content filtering for our core network AND our public Wifi, so enter Sonicwall Single Sign On Agent (SSO).
Sonicwall has offered the SSO agent since the release of version 4 last fall, but it took us quite a while to get this project on the top of the list and get it tested before we deployed it into production. Basically the SSO agent allows for the user’s Windows workstation to authenticate the user who is logged into that workstation against the firewall.
The configuration process is fairly basic (although because of several issues I won’t say easy).
What you need to make this happen:
- A Sonicwall Firewall with and active Content Filtering Service subscription and the CFS enabled
- The Sonicwall SSO agent installed on a networked machine (in our case a virtual server)
- A working MS Active Directory structure for your domain.
- User(s) added to groups defined in Active Directory.
The biggest hurdle we had was the SSO agent failing on us. We would get everything running in our test environment and then the agent service would stop and then there was no web access. You can set the device to fail open if the SSO agent fails, but we elected to drop down to the default CSF policy for all users if the agent fails. After we downloaded a more recent version of the SSO agent, moved it to a more stable server and that seemed to resolve that issue.
First you need to adjust the content filter to allow access to the specific sites you want to allow some users to access.
- The catch, you can’t allow/deny access to a specific url based on the logged-in user or group. To resolve this issue we had to first allow the specific sites we need to access through the content filter. This is a simple white list in the content filter.
- Note this excludes the url from all content filters
- Then utilize the firewall, which has the AD group specific granularity you need.
- Create a firewall rule to allow access to the sites for specified groups and deny for all others.
- This is all of course only on the authenticated side. Other zones and non Windows machines follow the default rules and provisioned the exceptions by user. Since firewall rules are higher priority than CFS the site can be an exception in the CFS but only those who are in the allow group are able to view the site.
CindyK
06.25.2008 2:45 pm
Nice. I just ordered a SonicWall and after a recent meeting with my boss, that’s exactly the kind of access they want.
I appreciate the tip!
Bookmarks about Sso
10.18.2008 9:00 am
[...] – bookmarked by 3 members originally found by Elenloth on 2008-09-27 Sonicwall Firewall and Content Filter http://jasonmlee.net/archives/235 – bookmarked by 3 members originally found by thelamborghini on [...]
Mike Tupker
04.29.2009 6:15 pm
We are looking at getting either a sonicwall or a watchguard. If the SSO works as advertised I’m going to try to setup SSO for employees/domain joined machines, and a AUP agree page for “guests”.
So far I’m really liking what I see in the manual. Are there any other gotchas that I should worry about with the sonicwall…or the watchguard if you are familiar with it?
rafael araya
05.18.2009 3:06 pm
I have followed your suggestion, however, I was wondering what kind of service do you select for the firewall rule to allow the traffic, say to youtube.com for those specific users in the group? any comments, I would greatly appreciate. thanks.