I have MyUser in Group1 and MyUser in Group2.
In the 'WWW Proxy Server' service in policies I add Group1 with restriction to Site1 and Group2 with restriction to Site2 (using Ban list tab).
But MyUser still can open Site1 and Site2!!! Why it is so?
I need those user configuration to manage restrictions: for example: users in Group1 can't use ICQ, users in Group2 can't visit sites like sex.com... and users which exists both in Group1 and Group2 can't use ICQ and can't visit blocked sites.
Please help - how can I reach my needs?
Policies, Groups and Users
Moderator: Qbik Staff
4 posts
• Page 1 of 1
Policies, Groups and Users
by DSabitov » Oct 06 07 10:31 pm
- DSabitov
- Posts: 3
- Joined: Jan 09 04 2:48 am
by logan » Oct 09 07 9:02 am
This is a simple logic error that is causing your problem.
Think of the WWW Proxy Policies as a room and each policy in the Proxy as a door that leads to the world outside. In your case, there would be two doors. Group1, and Group 2.
When the user tries to open a door, the policy of that door will be checked to see if the user is allowed out or not. The user can try any number of doors that he/she needs to to get out of the room. If the user fails to open the first door, then he/she will move to the next until the user either gets out, or finds that no door will open.
So in your example, when your user goes to Site1, the user tries door 1 (group 1) first and will find that the door won't open because of the ban list. Your user will then find that door 2 (group 2) doesn't have the site banned, so your user is able to get to site 1 via door 2.
The same goes for site 2. When your user navigates to site 2, they will try door 1 and find that they are allowed to get out through door 1, even though door 2 doesn't let them.
To solve this logic error, you simply need to change the way you think about group policies when you make them. For example, just making an extra policy will give you your desired result.
Policy1 - restrict user from ICQ
Policy2 - restrict user from sex.com
Policy3 - restrict user from ICQ "AND" sex.com
Also, make sure that the default rights for the WWW Proxy is set to "are ignored" to stop the user from using the System Policy doors if the user can't get out the policy specific doors.
The policy framework in WinGate 2007 has been completely overhauled to give you absolute control over the policy logic in addition to more advanced and more efficient policy decisions. This sort of logic error will be a thing of the past and how you make the policy decisions is how they will be carried out.
Think of the WWW Proxy Policies as a room and each policy in the Proxy as a door that leads to the world outside. In your case, there would be two doors. Group1, and Group 2.
When the user tries to open a door, the policy of that door will be checked to see if the user is allowed out or not. The user can try any number of doors that he/she needs to to get out of the room. If the user fails to open the first door, then he/she will move to the next until the user either gets out, or finds that no door will open.
So in your example, when your user goes to Site1, the user tries door 1 (group 1) first and will find that the door won't open because of the ban list. Your user will then find that door 2 (group 2) doesn't have the site banned, so your user is able to get to site 1 via door 2.
The same goes for site 2. When your user navigates to site 2, they will try door 1 and find that they are allowed to get out through door 1, even though door 2 doesn't let them.
To solve this logic error, you simply need to change the way you think about group policies when you make them. For example, just making an extra policy will give you your desired result.
Policy1 - restrict user from ICQ
Policy2 - restrict user from sex.com
Policy3 - restrict user from ICQ "AND" sex.com
Also, make sure that the default rights for the WWW Proxy is set to "are ignored" to stop the user from using the System Policy doors if the user can't get out the policy specific doors.
The policy framework in WinGate 2007 has been completely overhauled to give you absolute control over the policy logic in addition to more advanced and more efficient policy decisions. This sort of logic error will be a thing of the past and how you make the policy decisions is how they will be carried out.
- logan
- Qbik Staff
- Posts: 671
- Joined: Oct 19 06 2:49 pm
- Location: Auckland, New Zealand
by DSabitov » Oct 19 07 8:54 pm
Ok, Logan. Now I know about policies all what I need.
But if I have 500 users with 100 sites with different restrictions - how many policies do I need??? I know - I need all possible variants of combinations (door's u name) of this sites!!!
There for I think - that choosen way how policies to work is wrong.
But if I have 500 users with 100 sites with different restrictions - how many policies do I need??? I know - I need all possible variants of combinations (door's u name) of this sites!!!
There for I think - that choosen way how policies to work is wrong.
- DSabitov
- Posts: 3
- Joined: Jan 09 04 2:48 am
by adrien » Oct 22 07 1:01 pm
Hi
I agree it's difficult to manage individual policies for large number of users. That's because of that many combinations you end up with.
we've added database-driven policy support to our next major version to address this issue.
Regards
Adrien de Croy
I agree it's difficult to manage individual policies for large number of users. That's because of that many combinations you end up with.
we've added database-driven policy support to our next major version to address this issue.
Regards
Adrien de Croy
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
4 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 3 guests