Upload
others
View
35
Download
0
Embed Size (px)
Citation preview
Visite nuestro sitio web: www.itclatam.com 1
INTEGRATION OF LDAP GROUPS OR LOCAL GROUPS AND CONTENT FILTERING WITHOUT SINGLE SIGN ON
DESCRIPTION
This article explains about how to integrate Premium
Content Filtering Service with LDAP, while not using
the Single-Sign On service. In order for the
SonicWall to know what Content Filtering Policies to
apply for a session it either needs to have the Policy
set by IP Address or have a User Authenticate against
it. This can be a Local User or an LDAP User, for this
article we'll be examining LDAP Users.
RESOLUTION
Step 1: Enabling HTTPS Login for LAN Interface
TIP: This step can be used for any Zone, not just the
LAN. Make sure to Enable HTTPS Login for every
Zone that you need Users to Authenticate from!
CAUTION: It is possible to follow this setup
using HTTP but this is highly insecure, not
recommended, and thus not explicitly detailed in this
article.
Log into the SonicWall and navigate to Network
Interfaces | LAN then click the Configure button.
Select HTTPS under User Login.
Step 2: Configuring LDAP on SonicWall (If
You're Using Local Groups Only Skip This Step)
For Details on this process please follow: Integrating
LDAP/Active Directory with SonicWall UTM
Appliance
Step 3: Configuring the Local/LDAP Groups
Navigate to Users | Local Groups. From here you
can either Import Groups from LDAP or
create Local Groups which reside on the SonicWall.
Visite nuestro sitio web: www.itclatam.com 2
Creating Local Groups
• Click Add Group and include a Name on
the Settings Tab.
• On the Members Tab move Users or Groups
from the left to the right.
• Click OK.
Importing LDAP Groups
• Click Import from LDAP and
choose Import user groups from the LDAP
directory.
• On the popup window select the Groups you'd
like to Import from those available. You can
select multiple Groups at once.
• Click Save Selected.
Step 4: Configuring Content Filter and Policies
• Navigate to Security Services | Content
Filter, then click Configure for the Policy
you'd like to edit.
• Select the User Group that this Policy should
apply to. This can either be a Local Group, or
an LDAP Group.
CAUTION: While it is possible to nest Groups
this is not recommended. It is better to make multiple
Policies for each Group, even if those Policies are
identical to one another.
Visite nuestro sitio web: www.itclatam.com 3
Step 5: Configuring Access Rule for the User
Group
Now that we have our Groups either Imported or
Created and also applied to our CFS Policies we need
to create a way for Users to Authenticate against the
SonicWall. Since we're not using Single Sign On we
will have to force Users to signin to the SonicWall
directly, which is why that option was Enabled in
Step 1.
While Users can navigate to the SonicWalls IP
Address manually and login this is a cumbersome
solution. Instead it's possible to create an Access
Rule which redirects Users to the SonicWall and
forces them to Authenticate.
First, we need to create an Access Rule to allow
DNS:
• Navigate to Firewall | Access Rules and
select Add. In the From and To fields select
the Zone that Traffic originates from and
WAN, respectively.
• Fill in the rest of the Access Rule as shown
below:
CAUTION: Ensure that this Access Rule is the
#1 Priority under the Zone to Zone page, if other
more permissive Access Rules are a higher priority
then this configuration will not work.
• Click Add again and set
the From and To Zones to be the same as
they were in the previous Access Rule.
• Fill in the rest of the Access Rule as shown
below (Substitute your own Group for the
one shown):
Visite nuestro sitio web: www.itclatam.com 4
TIP: It's possible to create a Service Group and
combine HTTP, HTTPS, and any other Services
you'd like and only use one Access Rule. This is a
recommended Best Practice.
CAUTION: Ensure that this Access Rule is the
#2 Priority under the Zone to Zone page.
How to Test
From a Host on one of the Zones where you have
setup both Content Filtering and the required Access
Rules try to access any website. The SonicWall
should redirect the request and show a screen similar
to the below image:
RESOLUTION FOR SonicOS 6.5 AND LATER
SonicOS 6.5 was released September 2017. This
release includes significant user interface changes and
many new features that are different from the
SonicOS 6.2 and earlier firmware. The below
resolution is for customers using SonicOS 6.5 and
later firmware.
Step 1: Enabling HTTPS Login for LAN Interface
TIP: This step can be used for any Zone, not just
the LAN. Make sure to Enable HTTPS Login for
every Zone that you need Users to Authenticate from!
CAUTION: It is possible to follow this setup
using HTTP but this is highly insecure, not
recommended, and thus not explicitly detailed in this
article.
Log into the SonicWall and navigate to Manage
| Network | Interfaces | LAN then click
the Configure button. Select HTTPS under User
Login.
Visite nuestro sitio web: www.itclatam.com 5
Step 2: Configuring LDAP on SonicWall (If
You're Using Local Groups Only Skip This Step)
For Details on this process please follow: Integrating
LDAP/Active Directory with SonicWall UTM
Appliance
Step 3: Configuring the Local/LDAP Groups
• [For Local Groups] Navigate to Manage
| Users | Local Groups. From here you can
select Add and choose either Import Groups
from LDAP or create Local Groups which
reside on the SonicWall.
• [For LDAP Groups] Navigate to Manage |
Users | Settings | Configure LDAP | Users
& Groups and select Import User Groups.
Visite nuestro sitio web: www.itclatam.com 6
Creating Local Groups
• Click Add and include a Name on
the Settings Tab.
• On the Members Tab move Users or Groups
from the left to the right.
• Click OK.
Importing LDAP Groups
• Click Import User Groups and
choose Import User Groups from the
LDAP directory. Choose an LDAP Server to
Import from under Where to import from.
• Click OK.
Step 4: Configuring Content Filter and Policies
• Navigate to Manage | Security Services |
Content Filter, then click Configure for the
Policy you'd like to edit.
Visite nuestro sitio web: www.itclatam.com 7
• Select the User Group that this Policy should
apply to. This can either be a Local Group, or
an LDAP Group.
CAUTION: While it is possible to nest Groups
this is not recommended. It is better to make
multiple Policies for each Group, even if those
Policies are identical to one another.
Step 5: Configuring Access Rule for the User
Group
Now that we have our Groups either Imported or
Created and also applied to our CFS Policies we need
to create a way for Users to Authenticate against the
SonicWall. Since we're not using Single Sign On we
will have to force Users to signin to the SonicWall
directly, which is why that option was Enabled in
Step 1.
While Users can navigate to the SonicWalls IP
Address manually and login this is a cumbersome
solution. Instead it's possible to create an Access
Rule which redirects Users to the SonicWall and
forces them to Authenticate.
First we need to create an Access Rule to allow DNS:
• Navigate to Manage | Rules | Access
Rules and select Add. In
the From and To fields select the Zone that
Traffic originates from and WAN,
respectively.
• Fill in the rest of the Access Rule as shown
below:
CAUTION: Ensure that this Access Rule is the
#1 Priority under the Zone to Zone page, if other
more permissive Access Rules are a higher priority
then this configuration will not work.
• Click Add again and set
the From and To Zones to be the same as
they were in the previous Access Rule.
• Fill in the rest of the Access Rule as shown
below (Substitute your own Group for the
one shown):
Visite nuestro sitio web: www.itclatam.com 8
TIP: It's possible to create a Service Group and
combine HTTP, HTTPS, and any other Services
you'd like and only use one Access Rule. This is a
recommended Best Practice.
CAUTION: Ensure that this Access Rule is the
#2 Priority under the Zone to Zone page.
How to Test
From a Host on one of the Zones where you have
setup both Content Filtering and the required Access
Rules try to access any website. The SonicWall
should redirect the request and request the User to
login.
Calle 146 #7-64
Bogotá D.C. (Colombia)
+57 1 466 0599
+57 315 786 8258
REV1.001