Visite nuestro sitio web: www.itclatam.com 1

INTEGRATION OF LDAP GROUPS OR LOCAL GROUPS AND CONTENT FILTERING WITHOUT SINGLE SIGN ON

DESCRIPTION

This article explains about how to integrate Premium

Content Filtering Service with LDAP, while not using

the Single-Sign On service. In order for the

SonicWall to know what Content Filtering Policies to

apply for a session it either needs to have the Policy

set by IP Address or have a User Authenticate against

it. This can be a Local User or an LDAP User, for this

article we'll be examining LDAP Users.

RESOLUTION

Step 1: Enabling HTTPS Login for LAN Interface

TIP: This step can be used for any Zone, not just the

LAN. Make sure to Enable HTTPS Login for every

Zone that you need Users to Authenticate from!

CAUTION: It is possible to follow this setup

using HTTP but this is highly insecure, not

recommended, and thus not explicitly detailed in this

article.

Log into the SonicWall and navigate to Network

Interfaces | LAN then click the Configure button.

Select HTTPS under User Login.

Step 2: Configuring LDAP on SonicWall (If

You're Using Local Groups Only Skip This Step)

For Details on this process please follow: Integrating

LDAP/Active Directory with SonicWall UTM

Appliance

Step 3: Configuring the Local/LDAP Groups

Navigate to Users | Local Groups. From here you

can either Import Groups from LDAP or

create Local Groups which reside on the SonicWall.

Visite nuestro sitio web: www.itclatam.com 2

Creating Local Groups

• Click Add Group and include a Name on

the Settings Tab.

• On the Members Tab move Users or Groups

from the left to the right.

• Click OK.

Importing LDAP Groups

• Click Import from LDAP and

choose Import user groups from the LDAP

directory.

• On the popup window select the Groups you'd

like to Import from those available. You can

select multiple Groups at once.

• Click Save Selected.

Step 4: Configuring Content Filter and Policies

• Navigate to Security Services | Content

Filter, then click Configure for the Policy

you'd like to edit.

• Select the User Group that this Policy should

apply to. This can either be a Local Group, or

an LDAP Group.

CAUTION: While it is possible to nest Groups

this is not recommended. It is better to make multiple

Policies for each Group, even if those Policies are

identical to one another.

Visite nuestro sitio web: www.itclatam.com 3

Step 5: Configuring Access Rule for the User

Group

Now that we have our Groups either Imported or

Created and also applied to our CFS Policies we need

to create a way for Users to Authenticate against the

SonicWall. Since we're not using Single Sign On we

will have to force Users to signin to the SonicWall

directly, which is why that option was Enabled in

Step 1.

While Users can navigate to the SonicWalls IP

Address manually and login this is a cumbersome

solution. Instead it's possible to create an Access

Rule which redirects Users to the SonicWall and

forces them to Authenticate.

First, we need to create an Access Rule to allow

DNS:

• Navigate to Firewall | Access Rules and

select Add. In the From and To fields select

the Zone that Traffic originates from and

WAN, respectively.

• Fill in the rest of the Access Rule as shown

below:

CAUTION: Ensure that this Access Rule is the

#1 Priority under the Zone to Zone page, if other

more permissive Access Rules are a higher priority

then this configuration will not work.

• Click Add again and set

the From and To Zones to be the same as

they were in the previous Access Rule.

• Fill in the rest of the Access Rule as shown

below (Substitute your own Group for the

one shown):

Visite nuestro sitio web: www.itclatam.com 4

TIP: It's possible to create a Service Group and

combine HTTP, HTTPS, and any other Services

you'd like and only use one Access Rule. This is a

recommended Best Practice.

CAUTION: Ensure that this Access Rule is the

#2 Priority under the Zone to Zone page.

How to Test

From a Host on one of the Zones where you have

setup both Content Filtering and the required Access

Rules try to access any website. The SonicWall

should redirect the request and show a screen similar

to the below image:

RESOLUTION FOR SonicOS 6.5 AND LATER

SonicOS 6.5 was released September 2017. This

release includes significant user interface changes and

many new features that are different from the

SonicOS 6.2 and earlier firmware. The below

resolution is for customers using SonicOS 6.5 and

later firmware.

Step 1: Enabling HTTPS Login for LAN Interface

TIP: This step can be used for any Zone, not just

the LAN. Make sure to Enable HTTPS Login for

every Zone that you need Users to Authenticate from!

CAUTION: It is possible to follow this setup

using HTTP but this is highly insecure, not

recommended, and thus not explicitly detailed in this

article.

Log into the SonicWall and navigate to Manage

| Network | Interfaces | LAN then click

the Configure button. Select HTTPS under User

Login.

Visite nuestro sitio web: www.itclatam.com 5

Step 2: Configuring LDAP on SonicWall (If

You're Using Local Groups Only Skip This Step)

For Details on this process please follow: Integrating

LDAP/Active Directory with SonicWall UTM

Appliance

Step 3: Configuring the Local/LDAP Groups

• [For Local Groups] Navigate to Manage

| Users | Local Groups. From here you can

select Add and choose either Import Groups

from LDAP or create Local Groups which

reside on the SonicWall.

• [For LDAP Groups] Navigate to Manage |

Users | Settings | Configure LDAP | Users

& Groups and select Import User Groups.

Visite nuestro sitio web: www.itclatam.com 6

Creating Local Groups

• Click Add and include a Name on

the Settings Tab.

• On the Members Tab move Users or Groups

from the left to the right.

• Click OK.

Importing LDAP Groups

• Click Import User Groups and

choose Import User Groups from the

LDAP directory. Choose an LDAP Server to

Import from under Where to import from.

• Click OK.

Step 4: Configuring Content Filter and Policies

• Navigate to Manage | Security Services |

Content Filter, then click Configure for the

Policy you'd like to edit.

Visite nuestro sitio web: www.itclatam.com 7

• Select the User Group that this Policy should

apply to. This can either be a Local Group, or

an LDAP Group.

CAUTION: While it is possible to nest Groups

this is not recommended. It is better to make

multiple Policies for each Group, even if those

Policies are identical to one another.

Step 5: Configuring Access Rule for the User

Group

Now that we have our Groups either Imported or

Created and also applied to our CFS Policies we need

to create a way for Users to Authenticate against the

SonicWall. Since we're not using Single Sign On we

will have to force Users to signin to the SonicWall

directly, which is why that option was Enabled in

Step 1.

While Users can navigate to the SonicWalls IP

Address manually and login this is a cumbersome

solution. Instead it's possible to create an Access

Rule which redirects Users to the SonicWall and

forces them to Authenticate.

First we need to create an Access Rule to allow DNS:

• Navigate to Manage | Rules | Access

Rules and select Add. In

the From and To fields select the Zone that

Traffic originates from and WAN,

respectively.

• Fill in the rest of the Access Rule as shown

below:

CAUTION: Ensure that this Access Rule is the

#1 Priority under the Zone to Zone page, if other

more permissive Access Rules are a higher priority

then this configuration will not work.

• Click Add again and set

the From and To Zones to be the same as

they were in the previous Access Rule.

• Fill in the rest of the Access Rule as shown

below (Substitute your own Group for the

one shown):

Visite nuestro sitio web: www.itclatam.com 8

TIP: It's possible to create a Service Group and

combine HTTP, HTTPS, and any other Services

you'd like and only use one Access Rule. This is a

recommended Best Practice.

CAUTION: Ensure that this Access Rule is the

#2 Priority under the Zone to Zone page.

How to Test

From a Host on one of the Zones where you have

setup both Content Filtering and the required Access

Rules try to access any website. The SonicWall

should redirect the request and request the User to

login.

Calle 146 #7-64

Bogotá D.C. (Colombia)

+57 1 466 0599

+57 315 786 8258

sales@itclatam.com

tss@itclatam.com

REV1.001