Content Filtering rules and setup on Sonicwall NSA 2400

We are in process of switching over from ISA 2004 to Sonicwall NSA 2400.
As far as licensing is concerned we purchased everything but the Spam prevention as we already have something in place.
I`d like to find a proper way of setting up content filtering rules for a variety of User Groups on the NSA appliance. I was able to create a "Test" policy where I checked categories that I want blocked (Security Services -> Content Filter -> "SonicWALL CFS"->Configure -> Policy tab) then I went to Zones and verified that "TEST" policy was assigned to "LAN"
Unfortunately I can only assign one content filtering policy to LAN... This raises a question, if I plan to have 6 content policies, do I add the same "LAN” 6  times in the Zones and then assign the corresponding policy  to it? Doesn't sound right....
I’m not sure if  I am going the right way about it, can somebody explain in basic terms the easier way to go about it and perhaps some step by step instructions if possible ?
We did install SSO on one of the servers.

Thank you in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Depending on how you want it setup,  you can apply policies to groups under Users->Local Groups then select configure on a groups of users and that policy will be enforced on those users.  I would set the policy for the LAN zone to default.

If you are using an Active Directory environment, you can select the "import from LDAP" button on the bottom of the Local Groups page to import security groups from LDAP into the local groups in the SonicWALL.  For instance, you can create a security group in Active Directory called "CFS - Restricted" and put AD users in the group that you want restricted then import that group into the SonicWALL via the Import from LDAP button and you can apply a CFS policy to that group.  Then, all users in that group will be content filtered.  

Also, for the import from LDAP to work, you have to go to Users->Settings and configure the "Authentication method for login:" for LDAP.

I hope this helps a little.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You need to set LDAP on your SonicWALL to point to your active directory and be able to see the groups and individual users.

Then download Directory Connector from your account (Free Downloads) - install on as many servers as possible.  Note it doesn't have to be a server but a machine that is constantly reachable - I personally prefer servers.

On the SonicWALL set up SSO Agent (Single Sign On) so your users don't need to always authenticate with the SonicWALL.  UNLESS YOU HAVE A SINGLE POLICY THE SONICWALL NEEDS A USER TO AUTHENTICATE to know who he/she is etc.

SSO agent points to the directory connector(s) you have set up.

Make sure Windows firewall or another product is not running on individual machines - they will stop SSO agent from working properly.  Also set SSO agent to WMI (right click on the directory connector to do this)

Now you can add your users to Active Directory groups for internet access and ONLY THEN can you import them into your Local Groups from AD.  The above suggestion is the way to do it, but would only work if you had setup LDAP and SSO.

Set your DEFAULT policy to block EVERYTHING.  Everybody is a member of the default policy.

Set various other policies to allow only what you want that group to see.

SonicWALL work on the MOST PERMISSIVE basis.  A user can be a member of more than one group.

If Fred is in Group A and that allows Search Engines only, Daisy is in Group B that allows Social Media only and You are in Group A and B then you will see both Search Engines and Social Media.

Hope that helps.

These are good links - read and carry on from the bottom of the pages:

technomicAuthor Commented:
I apologize for a delay. I haven't had a chance to try both of the solutions, but I will definetely check them out as soon as I get around to it.
Thanks and I appreciate the help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.