SonicWALL CFS, SSO and App Rules - Use custom groups
Setting up CFS is fairly straight forward, and setting up SSO is fairly straight forward. So is even setting CFS to use App Rules.
After some back and forth trying to setup App Rules so that 'Domain Users' LDAP group have Restricted Internet access with problem categories being blocked and 'Domain Admins' LDAP users have Unrestricted Internet access I have come to the realization that SSO and CFS does not like Domain Users and Domain Admins groups.
As soon as I setup custom Security Groups 'Internet Access - Restricted' and 'Internet Access - Unrestricted' everything worked as expected.
I troubleshot everything from DNS to NetAPI and WMI, to service accounts running on the PCs and it looks like the resolution was to use custom LDAP groups instead of built in 'Domain Users' and 'Domain Admins' which makes sense as it also gives more control.
If anyone is interested, let me know and I'll post how to and print screen to setup LDAP, SSO and CFS with App Rules.
To break things down
CFS = Content Filtering Service
SSO = Single Sign On
LDAP = Lightweight Directory Access Protocol
The advantage of using App Rules for CFS instead of User and Zone is that rules become more customizable based on time and IP ranges.
After some back and forth trying to setup App Rules so that 'Domain Users' LDAP group have Restricted Internet access with problem categories being blocked and 'Domain Admins' LDAP users have Unrestricted Internet access I have come to the realization that SSO and CFS does not like Domain Users and Domain Admins groups.
As soon as I setup custom Security Groups 'Internet Access - Restricted' and 'Internet Access - Unrestricted' everything worked as expected.
I troubleshot everything from DNS to NetAPI and WMI, to service accounts running on the PCs and it looks like the resolution was to use custom LDAP groups instead of built in 'Domain Users' and 'Domain Admins' which makes sense as it also gives more control.
If anyone is interested, let me know and I'll post how to and print screen to setup LDAP, SSO and CFS with App Rules.
To break things down
CFS = Content Filtering Service
SSO = Single Sign On
LDAP = Lightweight Directory Access Protocol
The advantage of using App Rules for CFS instead of User and Zone is that rules become more customizable based on time and IP ranges.
UPDATE: SonicWALL came back after replicating this in their lab and confirmed expected behaviour when using Domain Users and Domain Admins.
mC - I am interested in some screenshots. Thank you.
ReplyDeleteI am also interested in some screenshots how you got this working.
ReplyDeleteI can browse LDAP and have imported custom groups similar to you have but the policy applied to them by the App Rules/CFS just don't seem to apply, always goes to DEFAULT.