Weird things with Web Filtering Policies WM4 (Full Version)

All Forums >> [Web & Mail Security] >> GFI WebMonitor



Message

justme -> Weird things with Web Filtering Policies WM4 (9.Oct.2007 7:38:43 AM)

Hi,

I'm currently running a test of WM4 but I've run to something curious. When I create Web Filtering Policies, they only work for users not for groups. I have created a Global security group which is not mail-enabled called gfitest en placed my test user in it. I have granted the gfitest group internet access in ISA Server 2004 SP3 and the user is allowed to go to the web. I have created a rule stating that the group DOMAIN\gfitest is not allowed to access pornography and websearch (just testing [:D]). If I let the user browse to www.playboy.com or www.google.com he is happily allowed through [:@]! If I remove the DOMAIN\gfitest group from the rule and put only the user DOMAIN\test in the rule he is blocked as he should be [&:]. I don't think this is the idea of the mechanism and I don't really feel like adding every user (about 150) seperately in the rule.

I'm running the following specs: Windows Server 2003 R2 with SP2 and security updates installed, MS ISA Server 2004 Standard Edition with SP3 and GFI WebMonitor build number 20070817.

The server is installed as a member server with domain membership and ISA controls which users are allowed to browse the web. The client computer has the Firewall Client installed for ISA 2004. The services for WM 4 use a Domain account with full admin and logon as service privileges.

It is currently a test, but we might be interested in the product because the product we use is dis-continued and we use some other GFI software to much satisfaction.



Juan Carlos -> RE: Weird things with Web Filtering Policies WM4 (10.Oct.2007 7:16:55 AM)

I have the same issue too.

Issue : Web Filter policies doesn’t Works fine using Groups.
          
Fox example. You can create a group with two users and allow them to see Sports or Pornography pages….

It doesn’t work. Appear the messages:






Access for 192.168.1.42 ISOFOTON Juan Carlos Calvo was denied by GFI WebMonitor for ISA Server.



Details:






Default Web Filtering Policy Blocked site category:pornography,nudity
 
But If you add the name of the users works fine.  “Please check policy Groups”.



justme -> RE: Weird things with Web Filtering Policies WM4 (12.Oct.2007 5:36:51 AM)

Ok, I've found a fix for my problem. I have created a local group on the server running ISA2004 and WM4 (the server is a member server). Next I added the domain group internet access to the local group and configured a policy for the local group and all of a sudden the rule works just fine. Is this a "by design" feature or is this somewhat of an error? I would like to think that the rules should work for domain groups as well because it does so for domain users!

Does GFI have any idea what could be causing the problem?



enzob -> RE: Weird things with Web Filtering Policies WM4 (21.Oct.2007 7:05:30 PM)

Hi,
I'm having the same issue too, but i have issue also with ip range (for example 192.168.0.1 - 192.168.0.100).
...



justme -> RE: Weird things with Web Filtering Policies WM4 (22.Oct.2007 2:13:00 AM)

I haven't tested the IP-feature. In our case that would be to much to do since we are running several ip-ranges. It does point out however that the webfiltering policies feature is far from finished for the developers.



Patrizia -> RE: Weird things with Web Filtering Policies WM4 (22.Oct.2007 4:33:59 AM)

Hi,

Thanks to all for your feedback. We are currently investigating this issue further and will keep you informed.



bertiebassett -> RE: Weird things with Web Filtering Policies WM4 (19.Nov.2007 6:43:49 AM)

quote:

ORIGINAL: Patrizia

Hi,

Thanks to all for your feedback. We are currently investigating this issue further and will keep you informed.


Is there an update on this problems as I have the same issue...



mikecel79 -> RE: Weird things with Web Filtering Policies WM4 (7.Dec.2007 8:37:31 AM)

I have just downloaded a trial of this and am having the same problem.  However from your post I think I know what the problem could be.  Are you starting the GFI WebMonitor service as a local user account?  If so it would only be able to read local user accounts and groups.  It would not be able to read users and groups from Active Directory. 

To me this is a bug since during the install it would not allow me to specify a domain user account to start the service.  Only a local user account.



mikecel79 -> RE: Weird things with Web Filtering Policies WM4 (7.Dec.2007 8:59:38 AM)

Well I switched the service to run as a domain account and that did not help.  It still will not use AD groups to do filtering.  If this product can't do AD groups then it's useless to me since I am not going to create more groups on the local machine.



sesel -> RE: Weird things with Web Filtering Policies WM4 (4.Jan.2008 2:52:11 AM)

can anybody help me with that WM4 for dealing with the group policy stuff, for me also doesnt work with domain group, and i hve try with the local group also n same result.

The guys at GFI what can be done to fix the problem, is there a patch for it that i can download. let me know.




Patrizia -> RE: Weird things with Web Filtering Policies WM4 (7.Jan.2008 10:16:06 AM)

Hi all,

Thanks for your feedback.

This issue will be fixed in the next build of GFI WebMonitor.



WayneEx -> RE: Weird things with Web Filtering Policies WM4 (11.Jan.2008 11:39:24 AM)

Hi

I am rather disappointed with:
a. the new version - because as mentioned above the group functionality does not work
b. with the response - that it will be fixed in the new build

For me this is a critical issue. I have just sold Web Monitor to a client and am busy with the deployment of it and ISA 2006. Both will be replacing an existing solution and does not reflect well on GFI products (or me) when before the client is even using it we are having issues. We did our testing and pilot on the previous version not on WM4. I have now been struggling with the groups problem for the past two days when I found this post.

I have been unable to get the local groups fix to work - and thus now have to add each user to each policy (as far as I know you cannot multi-select in the WM console. This means I have to add 160 users to each policy - which takes three clicks and I have to give the helpdesk (who create new users) access to the ISA box or GFI to add new users to the policy (which is a security risk).

I would appreciate a bit more help from GFI on this issue - perhaps a work-around on how to get the local groups to work (at least then I can multi-select) or a hotfix.

Also does this groups issue apply to the download policies as well or just the Web Filtering policies?

I also recieve an error when adding a user to second policy. Why is this? What if I want certain users to have access to certain sites during office hours and other sites after hours - thus two policies. Am I doing something wrong?

Any advice would be appreciated.

Regards
Wayne



N-Rico -> RE: Weird things with Web Filtering Policies WM4 (13.Feb.2008 9:07:18 AM)

We are planning to buy Webmonitor for use in our hosting environment. However we really need the AD groups to work! Is there any sight on when the new build will be released?

Or could Justme maybe explain how he/she got the local group work-around working? I only see domain groups listed in the console, no local groups.

Please advise :)

Kind regards,

Enrico Klein
ApplicationNet



jonboy -> RE: Weird things with Web Filtering Policies WM4 (15.Feb.2008 5:27:58 AM)

Thanks for the reply, any idea when the update is due out?



Page: [1]