Solved

Sonicwall NSA 2400 Content Filtering for Groups issue

Posted on 2010-11-22
7
1,424 Views
Last Modified: 2012-05-10
Dear Experts,

We deployed Sonicwall NSA 2400 appliance in order to take advantage of Content Filtering per groups.
I`ve noticed that in order for CFS to work properly when SSO Agent checks which user is logged in to machine (Windows Firewall needs to be disabled). I applied a GPO to disable Windows Firewall. Sometimes GPO doesn't apply properly, so I have batch files that users can run in case GPO doesn't apply.
I have 3 groups for Content Filtering:
Full Access (most of categories allowed)
Regular Access
Limited Access

While Full Access is the group with the most rights, I still do not want this group to stream music or access youtube. Therefore I created the 4th Group- "Full Access w Streaming"
Default policy is the most restrictive so if SSo Agent can't verify the user name vs Group, then no websites are accessible.
The problem recently is that from time to time SSO agent can't determine the user logged in to the machine and therefore applies Default policy. I have SSo Agent running on two separate boxes....
I checked that Windows Firewall is disabled, also looked at Symantec logs (nothing found in SEP logs), verified that even IPv6 is disabled.
When I log in to the Sonicwall appliance and look at User Status, I see that form time to time Users are applied with "Default" policy and that other policies (which should be aplied to them, "Full Access" well, they somehow do not apply).
So far the work around that I found is to disconnect the User`s session directly from Sonicwall -> Users then have user log off and log back in. I'm not sure why this is happening, what else should I be looking for ?
Anyway to refresh the SSO Agent session without me having to login to the appliance and disconnect the user (sometimes logging the user off or restarting PC doesn't help, until I manually disconnect the user from Sonicwall). i understand that restarting the PC should take care of it, but somehow Sonicwall hangs on to it and even after restart the "Default" policy is still applied.
I spoke with Sonicwall as SSo Agent kept throughing in errors that relate to Windows Firewall being enabled, but that was the only solution that Sonicwall provided.... I know that Windows Firewall is disabled and Sonicwall are unable to offer anotehr solution or a workaround...

Any ideas are greatly appreciated...
0
Comment
Question by:technomic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34202321
i'm sure you've updated to the latest release of the sonicwall firmeware...what version are you at?
0
 
LVL 2

Author Comment

by:technomic
ID: 34204835
NSA 2400 has firmware ver. 5.5.2.1-5o
Directory Connector ver. 3.2.2

SOnicwall has a newer firmware update ver 5.6 it is an early release though. So, i guess if I don't find a better way to fix it, i will consider installing an early release firmware.
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34205245
something i discovered this week that didn't know is "early release" does not mean beata release.  the early release means there is functionality within the firmware that hasn't been enabled, but they have relased fixes as part of the firmware as well.  everything has been tested.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 2

Author Comment

by:technomic
ID: 34231385
in that case, I will give that a shot and see what happens. It maybe a couple of days before I can update the firmware....
0
 
LVL 2

Author Closing Comment

by:technomic
ID: 34292597
Unfortunately I'm yet to find an opening to do a firmware update, therefore I am closing the question for now and awarding the points...
0
 
LVL 33

Expert Comment

by:digitap
ID: 34292864
i appreciate that.  when you do the update, report back and let us know how it went.
0
 

Expert Comment

by:PaidToSki
ID: 37209923
I would like to add a comment to this.  I have extensively tested and successfully deployed the SSO capability in my environment.  I have an NSA 4500 running SonicOS Enhanced 5.6.0.11-61o.  I am using the SonicWall Directory Connector version 3.4.55.

For my Query Source, I use DC Security Logs & NETAPI.  In order to use DC logs, all you need to do is enable logging via your DC GPO for logon/logoff success/failure.

I made the mistake of using the "Probing" feature in the SSO setup on the SonicWall.  Don't use it, it will basically do more harm than good.

I don't disable the firewall on local workstations, but rather push a GPO that opens the UDP and TCP port numbers that the SSO agent communicates over (it's all in the documentation from SonciWall) and any other services you need to open.

I also have deployed (2) SSO Directory Connect servers for redundancy.  I have found in my environment with 190 Windows XP/7 workstation, DC Audit logs & NETAPI are the most accurate and reliable forms of LDAP authentication.
0

Featured Post

[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question