Sa520 Web filter per user?

Is there a way in the sa520 to enable HTTP filtering per user or per group?  I simply want to add a "executives" group that do not get blocked out as much as Normal users.

Hi John,
If you use the standard Content Filtering of your SA520, then you  cannot segregate client access.  Either all clients are blocked or all  are allowed.
If  you buy a license for ProtectLink Gateway, then you are able to block a  group of users from viewing certain sites, while predefining a list of  clients that will have access to the sites in question- in this case your Executive Group.  However, they  will have access to all sites.  Clients will either be blocked or  allowed to visit sites that are to be filtered.
Cheers,
Julio

Similar Messages

  • ASA5515X - WSE,AVC and IPS - Application block per user

    Can I enable web applicaction blocking based on user or group of users with WSE license or do I need another type of license.?
    Thanks,
    Ivan

    WSE is always packaged, at a minimum with AVC. that combination on an ASA is all the licensing you need to block web applications per user. You will of course need to implement a scheme to identify your users in order to use their identity in a policy. That can be via local database (seldom used as it doesn't scale well) or via integration with your Microsoft AD infrastructure (via active authentication or optionally using the free Context Directory Agent (CDA) server running on a VM in your environment) or via something like the Identity Services Engine (ISE - a licensed product).

  • How to get user 'logged in' to ironport web filter without launching IE

    We have an issue with some employees who use third party programs that traverse the Internet.  These programs are 100% allowed by the organization as they are required for day to day business.  Some programs go over the Internet to communicate for certain reasons, such as a live chat help support, or ordering products, etc..
    The problem is that some of these users log in and never even touch Internet Explorer for awhile.  They will go on and start working right away.  Well if they don't try to access an Internet site via IE, then the Ironport does not 'log them in', and they are known as unauthenticated.  Of course this doesn't happen with everyone.  There's nothing wrong with people coming in a little early and checking the local news online.
    We were thinking up if it's possible to have each user 'touch' the ironport web filter in some way during a logon script, unbeknown to the end user, so that they are 'signed in' and whatever Internet connected application they launch has access through to the Internet.  Right now they need to at least launch IE and go to some site (say Google or MSN) and via NTLM credentials transparently passed through IE7, 8 or 9, they can simply close the page and go about their business.  Note: they MUST go to an external site.... not an internally hosted one (such as our Intranet, time clock or HR self service pages).
    So is there any commands we can put in via kix or bat or something that will say "Hey Ironport, %username% just logged in at 10.x.x.x".  Then maybe to make it more advanced, a logoff script that says "Hey Ironport, %username% just logged OFF of 10.x.x.x".  This way when our hourly timeout happens, they aren't immediately booted from their Internet applications (if they don't keep an IE window open that is).
    Right now our ASA Firewall uses WCCP to forward port 80 to the ironport web filter.  The Ironport is a transparent proxy.
    Thanks!

    So it looks like you are moving the authentication from the Ironport S160 to the ASA5500 series firewall?
    I guess we are looking at something simpler, like a way to 'touch' the internet and pass NTLM credentials, because then the Ironport knows who the user is.
    If the user does not 'touch' the internet with IE, and say they use some other program that does not pass NTLM credentials (say Firefox or live chat program, or an ftp program, etc...) They are likely to be blocked, because the Ironport doesn't know who they are.
    Your link seems to lead to a complicated setup for something that seems so simple.  I'm not sure how that relates to an Ironport S160.. it seems to focus on the ASA5500. Also we want it to be completely 100% transparent to the end user.
    This is how it worked with a Barracuda web filter appliance...
    A DCAgent program sat on each domain controller. As users logged in or out of the domain, this agent passed this current activity to the Barracuda web filter appliance.
    The Barracuda appliance knew exactly who was logged in because of this little program on the domain controller(s) that kept it updated. Based on this, policies could be assigned based on Active Directory group memberships. ie) HR and Marketing can access Facebook, while others cannot.
    I guess I'm looking for similar functionality with the Ironport S160. If there's any way the domain controller, or even the client PC can say "Hey Ironport, %username% is logged on here at %ip_address%". That way the Ironport would know who they are, and there would be no unnecessary authentication boxes (besides the user logging into the windows domain). They could use internet connected apps that do not pass NTLM authentication. I guess the client PC or the domain controller would also have to tell the IronPort when they signed off, just so we don't have to deal with authentication timeouts. This way, say they are in our internet chat help program... after an hour, it will cut out and disconnect them - because the IronPort forgets who they are (unless they are actively using the internet with IE).
    So for now, we just use the bypass option for the affected internet services.  The default browser is IE, so the reality is that we are not suffering any tremendous inconvienence.  It's just that we want to ensure we have the best robust solution, and we can handle these types of situations with programs other than IE accessing internet resources.

  • VPN filter per remote access user (via ACS)?

    Hello everyone,
    I'm deploying IPSec Remote Access VPN for my company. I have Cisco ASA 5540 (8.0.4) and Cisco Secure ACS. I have successfully configured the system with authentication by ACS.
    The question is, I want to apply filter policy for per user. I know that there's a method called vpn-filter. If I use local authentication, I can apply ACL to user attribute.
    eg.
    access−list 103 extended permit tcp 10.1.49.2 255.255.255.0 host 10.1.1.10 eq 3389
    username testvpn attributes
    vpn−filter value 103
    But users are configured on ACS, so how can I apply vpn-filter policy to the user? I dont really want to apply vpn-filter to group-policy.
    Please help me to find a method. Thank you very much.
    Regards,
    Hiep Nguyen.

    Hi,
    I think this is what you are looking for
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml
    You will need to setup the IETF like this
    filter-id=acl_name
    There is a good example right there (better than mine) let me know how it goes.
    Mike

  • Per-user web directory on nss volume

    Is possible to use directories in nss volume as per-user web directory for apache virtual hosts ?
    How I set permission for it ?
    Vogl Lubomir

    vogl,
    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.
    Has your problem been resolved? If not, you might try one of the following options:
    - Visit http://support.novell.com and search the knowledgebase and/or check all
    the other self support options and support programs available.
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.novell.com)
    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.novell.com/faq.php
    If this is a reply to a duplicate posting, please ignore and accept our apologies
    and rest assured we will issue a stern reprimand to our posting bot.
    Good luck!
    Your Novell Product Support Forums Team
    http://support.novell.com/forums/

  • How to separate application module instance per user session?

    Hi.
    How do you separate application module instances per session or per user? I am creating a web application and has created a simple filter that implements Filter.
    Thanks in advance.

    Hi Frank. Thank you for the reply.
    I tried using two browsers. The behavior of each page is very much different when being opened individually. Its like the two pages is sharing the same iterator / data and / or entity object. These two pages were opened to see if one is dependent upon the other. But when I test the same scenario on a different computer, everything works out fine.
    Is there a way for me to verify if the sessions are different? and if they are different, is there a way to verify if the application module created a new instance for the other session?

  • ISE 1.2 & AD & Meraki - Per User Group Policy ?

    I am working on a PoC for a deployment in an MDU. We are using Meraki switches and access points. There are 250 units in the building, each unit will have it's own subnet. The goal is to have the tenant be able to connect to a common building SSID and be placed into their assigned VLAN. There will also be physical ports in each unit that will need to do the same. I am trying to figure out a way to use ISE to authorize on a per user basis and not based on groups of users. On the Meraki system there are group policies that will assign the VLAN for the user as well as any type of layer 7 firewalling and bandwidth control. So there will be 250 group policies, one for each unit. There is a deployment guide that shows how to setup ISE for use with Meraki and it is great but it assumes that there will be large groups like Employees, Contractors, etc.. that will be used. This is where I'm being tripped up, also... this is my first swing at a NAC deployment so I have a lot to learn.
    1.Can I setup each user in Active Directory to have a tag that ISE can then forward on to Meraki for the group policy? Say it's unit 101 and I have a group policy called 101 in Meraki, Meraki documentation says to use the Airespace-ACL-Name attribute in ISE to indicate the group policy to use. This gives me the ability to place a group into that policy but not an individual. Or would this be better done by creating the users in ISE directly? Omit AD entirely?
    2. Each unit will have devices that will need MAB because they are not 802.1x compatible. I need to do the same as above with them. I would create a separate SSID for these devices but then use the MAC address to authenticate them but will need to authorize them to go into a specific group policy.
    I know this isn't a typical ISE application but I think that this will work really well in the end, just need to iron out these details and get a test system functioning. Any help would be greatly appreciated!!!
    Thanks,
    Nathan

    Please find the Meraki_ISE integration doc. in attachment.
    When VLAN tagging is configured per user, multiple users can be associated to the same SSID, but their traffic is tagged with different VLAN IDs. This configuration is achieved by authenticating wireless devices or users against a customer-premise RADIUS server, which can return RADIUS attributes that convey the VLAN ID that should be assigned to a particular user’s traffic.
    In order to perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings:
    MAC-based access control (no encryption)
    WPA2-Enterprise with 802.1x authentication
    A per-user VLAN tag can be applied in 3 different ways:
    The RADIUS server returns a Tunnel-Private-Group-ID attribute in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MCC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section.
    The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.
    On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user. 

  • Clustered WL 6.1 creates 2 server sessions per user

              It appears that WL 6.1 creates 2 HTTP sessions per user for a simple JSP object.
              It shows in "ADmin Console/mydomain> DefaultWebApp> Web Applications> DefaultWebApp>
              Servlet Runtimes":
              1 /count.jsp
              1 /*.jsp
              In a non-clustered environment this does not happen.
              Is that normal?
              

    I found the problem myself. For some reason WL did not like any special characters in the system password. I am not sure which ones are valid and which are not but I am avoiding them all right now.

  • Antispam solution with per-user settings for JES4 ?

    Hi,
    We are currently installing JES4 for one of our clients. One of their questions is if there is software that can integrate with JES4 and that allows end-users to tweak their own anti-spam settings, f.ex. let them decide what is spam or not and how to treat it.
    Ideally, it would mean a new tab in the webclient, so that they can specify their own settings as to what they consider to be antispam.
    I don't know of any such tool, that's why i am asking here.
    I know that brightmail can interface with jes, but as far as I can see, it's just a global filter without user-specific settings.
    For the moment we are using spamassassin on our mail relays, which works quite well, but offers in our case no user-specific configuration.
    Any ideas ?
    I guess we might just as well tag the probable spam, and let them setup custom SIEVE rules to treat these messages, but I don't think this will be very flexible?
    I'll be thankful for any input.
    regards,
    Tom.

    we currently use a tool called PureMessage
    its a mail filter that sits at our gateway and filters inbound and outbound. the latest version uses ldap userid and password for authentication into a personal "spam control" where the end-user can setup white/black lists etc.. It doesn't integrate with the client, but there are certainly some user configs.
    the app will work directly with JES4 ( we use sendmail for SMTP traffic so I have not done the integration )
    As for a tab in comms express. I would imagine you could customize the comms express to include a tab for the end-user web interface. But there's nothing I know of out of the box to do so.

  • Uploading a text file from webi filter area as part of the query condition

    Post Author: balasura
    CA Forum: Publishing
    Requirement : Uploading a text file from webi filter area as part of the query condition Hi, I am in a serious requirement which I am not sure available in BO XI. Can some one help me plz. I am using BO XI R2, webi I am generating a ad-hoc report, when I want to give a filter condition for a report, the condition should be uploaded from a .txt file. In the current scenario we have LOV, but LOV could hold only a small number of value, my requirement is just like a lov but the list of values will be available in a text file ( which could number to 2000 or 2500 rows). I would like to upload this 2500 values in the form of a flat text file to make a query and genrate report. Is it possible in BO XI? For Eg:- Select * from Shipment Where u201CShipment id = u2018SC4539u2019 or Shipment id = u2018SC4598u2019u201D The u201Cwhereu201D condition (filter) which has shipment id will be available in a text file and it needs to be loaded in the form of .txt file so that it will be part of the filter condition. Content of a .txt file could be this shipment.txt =============== SC4539 sc2034 SC2343 SC3892 . . . . etc upto 2500 shipment Ids I will be very glad if some could provide me a solution. Thanks in advance. - Bala

    Hi Ron,
       This User does not have the access to Tcode ST01.
       The user executed Tcode SU53 immediately following the authorization failure to see the authorization objects. The 'Authorization obj' is blank and under the Description it has 'The last Authorization check was successful' with green tick mark.
      Any further suggestions, PLEASE.
    Thanks.

  • Permit only one access per user on guest portal Cisco ISE

    Hi,
    Could you please help me to figure it out if it´s possible to create a guest account on cisco ISE which permit only one concurrent access?
    We don't want to have multiple devices registering with the same account, just one different account for each device.
    Thanks,

    Hi Gino,
    You  can restrict guests to having only one device connected to the network  at a time. When guests attempt to connect with a second device, the  currently-connected device is automatically disconnected from the  network.
    This is a global setting affecting all Guest portals.
    Step 1 Choose Administration > Web Portal Management > Settings > Guest > Portal Policy.
    Step 2 Check the Allow only one guest session per user option.
    Step 3 Click Save.

  • Render page as per User language after login

    Hello,
    I am using Jdev 11.1.1.6 with ADFBC and Faces.
    In our application, user can set default language. It is expected that after login, all contents should be displayed as per user language locale (assuming locale is supported and locale specific resource bundle exists).
    So there is SignInPage and HomePage. I need to access the DB (using methodAction binding for a AM method, that reads the user preference and returns the language) before forwarding to HomePage.
    Code to forward to HomePage is something like this:
    FacesContext ctx = FacesContext.getCurrentInstance();
    RequestDispatcher dispatcher =
    request.getRequestDispatcher(forwardUrl);
    dispatcher.forward(request, response);
    ctx.responseComplete();
    End User locale handling is done by defining ViewHandler class in faces-config file. Implementation is explained here
    Problems faced:
    1) I tried to execute the operation binding but got null pointer...in FacesCtrlActionBinding._execute(FacesCtrlActionBinding.java:252)
    2) I tried to redirect using external.encodeActionURL(actionURL) but got illegalStateException...Response is already committed
    It works fine if user after login either just press F5 to refresh the page OR reset the language again using the preference screen.
    How do I get it to work at login? Where can I tap-in the methodAction call between SignInPage and HomePage, so that HomePage is rendered according to language?
    Any help/pointer is highly appreciated.
    Thanks,
    Jai

    Hi,
    1) I tried to execute the operation binding but got null pointer...in FacesCtrlActionBinding._execute(FacesCtrlActionBinding.java:252)
    If you mean ADF operation binding then this only is available if a request is routed through the binding filter. Note that the PageDef file for a page needs to be parsed before the content becomes available as an object at runtime.
    2) I tried to redirect using external.encodeActionURL(actionURL) but got illegalStateException...Response is already committed
    Why don't you use facesContext --> externalContext --> redirect(...) to perform the redirect, The dispatcher.forward() surely doesn't do this
    3) How do I get it to work at login? Where can I tap-in the methodAction call between SignInPage and HomePage, so that HomePage is rendered according to language?
    Programmatic authentication as explained in the Fusion Developer Guide (chapter 30 if I recall correctly) would give you a chance to set the language. However, the language is not set on the ViewObject but should be set on JSF by changing the default language, e.g.
    FacesContext.getCurrentInstance().getViewRoot().setLocale(Locale.ENGLISH);
    Frank

  • SSAS Cube data display platforms (including per user permissions support)

    Hi,
    I've developed an SSAS cube for a small sales company. The company does not want to invest on sharepoint. They need to display cube data for each sales agent filtering his own records.  
    Excel and SSRS can display cube data but can they filter their data per user using the username in customdata? Can they connect with certain roles?
    Creating a .net application may also be a solution although it should take much time and effort for creation.
    What other options are there to display and work with SSAS cube data?
    What's preferable?
    Thanks
    Namnami

    Hi, 
    I didn't understand your above sentence: "there is only one
    hop and Kerberos is not required"
    what did you mean?
    I don't think roles is a good option for us, we have around 20 salesman and they keep on changing. 
    The cube currently displays in Performance Point by using CustomData and that works great. 
    But we want the users to consume it via excel, I just didn't understand clearly if username can be used
    safely without setting kerberoes. 
    Appreciate your advice!
    Namnami
    *** Update- I understand now, one hop meaning excel connects directly to cube does not require kerberoes and can use username(). Any example for two hops? Thanks a lot , you're advice really helped!

  • Symantec web filter cloud server with wccp

    Hi All,
    My web filter is now from symantec cloud.  Which I created a vm windows 2008 r2 and install the client site proxy.  So all user now are using proxy settings on that local server IP with the port 3128.  
    Is it possible to make that server connect to wccp on cisco asa 5515x?  It's annoying to have proxy settings especially on smart phones.  I don't know if symantec have a linux CSP version, maybe wccp will work fine with a linux server.
    Thanks and more power.

    Hello Phillipe,
    Yes, You nail it down.
    With this Setup the asa is going to generate a Router ID and Just like OSPF is going to use the higher Ip . In this scenarios should use the interface where the Iron port is. But sometimes the higher is the outside interface ( public one) so we are going to have an issue and there is no solution . The Iron Ports servers can handle this. Other than those ones cannot.
    Just like OSPF is going to use the higher Ip as the Router Identifier so when he SENDS the packets to the server is going to send it with the wrong ip
    Regards

  • BB Internet Browser traffic flowing thru company web filter

    I have a BES server, with all users on corporate email.
    When using the BB handset to access a website, some users are blocked
    from certain sites by the corporate web filter.  Others are not.
    I did not know any BB Handset internet traffic was routed thru the
    corporate internet network.  What determines this?  Why are some
    going thru the filter, while others do not?
    Thanks for the help.

    While they are on your corporate BES, all traffic that is through the blackberry browser goes through the BES.  On the blackberry, you can change the browser to the device browser or another one of your choosing, but the blackberry browser is for interal usage. Just have the user use a diffrent web browser on his blackberry if he really wants to get around it.
    If someone helped you give them kudos. Research all info!

Maybe you are looking for