I have users set to 1 hour access per day, but would like access to certain
websites ignored , is this possible
Ignore accounting for certain websites
Moderator: Qbik Staff
9 posts
• Page 1 of 1
Ignore accounting for certain websites
by sbrady » Jun 05 06 10:59 pm
- sbrady
- Posts: 3
- Joined: Jun 05 06 10:10 pm
- Location: sheffield
by Pascal » Jun 08 06 11:20 am
It would be possible through a clever setup of policies. What you effectively want to do is create a blanket policy that restricts them to one hour per day. Then setup a web specific policy that grants access to those sites. That should do it.
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by sbrady » Jun 08 06 10:31 pm
Thanks,
I think thats what I have at the moment but the problem is the websites that I want to grant access to 24/7 is also included in the time that is conected to the web. I want to allow 1 hour access to any other site and 24/7 access to certain sites.
e.g.
an employee spend 1 hour on a site that they are allowed 24/7 access and then cannot access any other site. I think somehow I would need to
ignore the time on line for sites that have 24/7 access.
hope this makes sense.
Thanks
Sean
I think thats what I have at the moment but the problem is the websites that I want to grant access to 24/7 is also included in the time that is conected to the web. I want to allow 1 hour access to any other site and 24/7 access to certain sites.
e.g.
an employee spend 1 hour on a site that they are allowed 24/7 access and then cannot access any other site. I think somehow I would need to
ignore the time on line for sites that have 24/7 access.
hope this makes sense.
Thanks
Sean
- sbrady
- Posts: 3
- Joined: Jun 05 06 10:10 pm
- Location: sheffield
by Pascal » Jun 09 06 7:32 am
Can you email me your policies? You can export the registry from Advanced Options in GateKeeper or Advanced Options on the Start Menu. I'll have a look through them.
WinGate's policies are permissive - so if one policy restricts access based on time, but another allows full access to certain sites then the user *should* get access.
WinGate's policies are permissive - so if one policy restricts access based on time, but another allows full access to certain sites then the user *should* get access.
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by ChrisH » Jun 09 06 1:19 pm
The only way I can see to do this is to set up another user who has a white list of available sites through a WWW policy and set up the regular users in a group that is blacklisted from those sites. In order to access those sites the users would have to log in to WinGate as the whitelist user. This way they get around accounting of the whitelisted sites onto their regular user accounts. However, this could be cumbersome to users having to log in and out, and potentially a pain in the a** to you to maintain a white and black list. What you are wanting to do sounds like it might be a feature request to the Qbik team.
Chris H.
- ChrisH
- WinGate Master
- Posts: 388
- Joined: Sep 13 03 1:38 am
- Location: Canada
by Pascal » Jun 09 06 1:43 pm
WWW Proxy Policies:
User: Everyone
Filter1 -> Criterion1 -> HTTP URL Contains "qbik"
Filter2 -> Criterion1 -> User Seconds Online < 3600
Scheduler:
Event: Account Reset
Action: Reset All User Accounts
At: Dayly, 23:59
That should allow access to any *qbik* sites 24/7, but restrict access to everything else to the 1 hour access per day restriction. Of course, you would need to have the users authenticated / assumed, otherwise you'll run into a problem with Guest running out of time fairly quickly. And, as always, the policy check is made on session creation - so there might be a small overlap.
I haven't tested yet, but putting the User:Seconds online timeout in the System Policies should work as well if the respective proxy policies are set to "May be used instead". You'd need to protect the RCS then with appropriate policies so you don't restrict yourself to an hour of GateKeeper a day!
Edit: Actually, yes. I see what the problem is now. The sites that have 24/7 access should not be included in the one hour per day access - that time is only for the rest of the web.
Chris is right, there's no way to do this at the moment. We are looking into policies, accounting, logging and the reporting aspects of things; so I'll flag this with the team as well.
User: Everyone
Filter1 -> Criterion1 -> HTTP URL Contains "qbik"
Filter2 -> Criterion1 -> User Seconds Online < 3600
Scheduler:
Event: Account Reset
Action: Reset All User Accounts
At: Dayly, 23:59
That should allow access to any *qbik* sites 24/7, but restrict access to everything else to the 1 hour access per day restriction. Of course, you would need to have the users authenticated / assumed, otherwise you'll run into a problem with Guest running out of time fairly quickly. And, as always, the policy check is made on session creation - so there might be a small overlap.
I haven't tested yet, but putting the User:Seconds online timeout in the System Policies should work as well if the respective proxy policies are set to "May be used instead". You'd need to protect the RCS then with appropriate policies so you don't restrict yourself to an hour of GateKeeper a day!
Edit: Actually, yes. I see what the problem is now. The sites that have 24/7 access should not be included in the one hour per day access - that time is only for the rest of the web.
Chris is right, there's no way to do this at the moment. We are looking into policies, accounting, logging and the reporting aspects of things; so I'll flag this with the team as well.
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by Pascal » Jun 09 06 1:50 pm
Actually, there might be a horribly ugly way to do it right now.
You'll need two web proxies setup in WinGate (Port 80, port 81, for example)
One proxy (A) requires users to be assumed (HTTP Basic Auth) and has the restriction of User: Seconds Online < 3600. This proxy intercepts traffic so NAT / WGIC users are caught as well. It will need individual policies per user (Or for their group, that does not contain Guest)
The other proxy (B) does not require authentication, but only allows access to the whitelist of sites. This one does not intercept at all. Access to it is through the Guest account.
On the client side, you tick the "Automatic discovery of proxy settings" tickbox in IE and then, on the WinGate server side setup an appropriate .PAD / .PAC file to redirect any proxy requests to the white list sites at Proxy B while normal requests go to Proxy A.
Obviously though, this has some flaws. It messes up reporting and tracking of what your users visited. But, should get that type of scenario working.
You'll need two web proxies setup in WinGate (Port 80, port 81, for example)
One proxy (A) requires users to be assumed (HTTP Basic Auth) and has the restriction of User: Seconds Online < 3600. This proxy intercepts traffic so NAT / WGIC users are caught as well. It will need individual policies per user (Or for their group, that does not contain Guest)
The other proxy (B) does not require authentication, but only allows access to the whitelist of sites. This one does not intercept at all. Access to it is through the Guest account.
On the client side, you tick the "Automatic discovery of proxy settings" tickbox in IE and then, on the WinGate server side setup an appropriate .PAD / .PAC file to redirect any proxy requests to the white list sites at Proxy B while normal requests go to Proxy A.
Obviously though, this has some flaws. It messes up reporting and tracking of what your users visited. But, should get that type of scenario working.
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
9 posts
• Page 1 of 1
Who is online
Users browsing this forum: Bing [Bot] and 7 guests