SonicWall TZ215 Per User Content Filtering

I have a Sonicwall TZ215 (unlimited user, latest firmware) with the content filtering license. I cannot figure out how to setup PER USER content filtering. I am looking for a step by step guide how to enable per user content filtering.
My Goal: Users must either log into the SonicWall content filtering service via browser authentication or be authenticated via Active Directory/Username on the PC and then be able to access the Internet. But he will be restricted based on their group’s permissions.

Example 1: Joe is in sales, he sits down at his workstation and logs into the PC. HE opens the Internet to do a search for leads on craigslist and is allowed. Later on he tries to do some online banking, but is blocked because the sales department is not allowed to use online banking.

Example 2: Ray is in accounting; he logs into his workstation to access the Internet and goes to craigslist, but is blocked. Later that day he logs into the companies banking site and is permitted, because the account group is allowed to access banking.

Thank you for your help.
Robert AdvancedideaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi erocon,

Yes you can achieve your goal by either local user authentication or via SSO. I will provide details for both!

Local User & Group Authentication

0. Background

Local Users are users stored and managed on the security appliance’s local database. In the Users > Local Users page, you can view and manage all local users, add new local users, and edit existing local users. The SonicWALL security appliance provides a local database for storing user and group information. You can configure the SonicWALL to use this local database to authenticate users and control their access to the network. The local database is a good choice if the number of users accessing the network is relatively small.

Some items to keep in mind:
    • In order for the SonicWALL to differentiate between users, log in must be forced at the SonicWALL so that when users initially try to access the internet, they are redirected to a log in screen.  
    • In order to assign custom content filter polices to locally configured users based on group membership, the SonicWALL must have a premium content filter subscription and be running enhanced OS.

1. Configuring Content Filter Policies

   1) Log into the SonicWALL appliance and navigate to: Security Services > Content Filter > Click “Configure” on Content Filter Type “SonicWALL CFS”.

    2) Click on “Policy” > ”Add” in order to create a custom policy.

    3) Name the Policy accordingly; in this case I'm going to create a policy that allows access to everything except pornography, so the policies name is “Allow most Internet Access”.
    4) After naming the policy, click on “URL List” to choose the different categories that you wish to clock with this policy. As stated previously I'll be blocking only pornography with this policy, so only the pornography category should be checked.

    5) Click on the “settings” tab and configure these settings according to your specifications
          • Disable Allowed Domains - select this setting to disable the allowed domains that are listed on the Custom List tab in the SonicWALL Filter Properties window.
          • Enable Forbidden Domains - select this setting to enable forbidden domains that are listed on the Custom List tab in the SonicWALL Filter Properties window.
          • Enable Keyword Blocking - select this setting to enable keyword blocking for the URLs that are listed in the Keyword Blocking section on the Custom List tab in the SonicWALL Filter Properties window.
          • To configure the schedule for when Content Filtering is enforced, select the following:
               • Always on - When selected, Content Filtering is enforced at all times.
               • From / To - When selected, Content Filtering is enforced during the time and days specified. Enter the time period, in 24-hour format, and select the starting and ending day of the week that Content Filtering is enforced. The choices also include work hours and weekend hours.

    6) Click OK.

Now that a custom policy has been created, Local Groups and Local Users must be created so to assign the Custom Policy.

2. Creating Customer Groups & users

   1) In the SonicWALL Appliance, Navigate to: Users > Local Groups > Click on “Add Group”.

    2) Name the group accordingly, in this case since we will be applying the “Allow most internet policy”, I'll name the group “Allow most internet access”.

    3) Click on the “CFS Policy” tab and drop the “Policy” box down to the “Allow most internet access” policy.

    4) Click on “OK

    5) Navigate to: Users > Local Users and click on “Add User”.

    6) Create username accordingly and assign a password. *Note: You can set the password to be something temporary like “password” and check the box stating “User must change password”, so that when the user logs into the SonicWALL, the SonicWALL will ask them to change their password.

    7) Click on “Groups” and find the “Allow most internet access” group, highlight the group and then click on the “right” arrow which will move said group over to the “Member Of” section.

    8) Click on “OK

    9) We will now see the user “Fyodor” added to the “Local Users” section. Hovering over the CFS Policy bubble, we see that the “Allow most internet access” policy has been inherited from the “Allow most internet access” group. However we also see that the “Default” policy has also been inherited.

You need to keep in mind that because all users created are, by default, members of both the “Trusted Users” and “Everyone” group, and because both of these groups have the “Default” Content Filter applied to them by default, all custom users that are created will automatically have “Default” Content Filter Policy assigned to them. Because The SonicWALL Content filter works on a “least restrictive policy” format, the least restrictive policy that is assigned to a user will take effect. So if the default policy is the most restrictive, which it should be, the “Allow most internet access” policy will be the policy that takes effect on the user named “Fyodor

3. Configure ULA Settings

   1) Go to Network > Interfaces > LAN > Under General enable HTTPS under User Login.
    2) Go to Firewall > Access Rules > LAN > WAN and Click on “Add

    3) Configure the rule as followed:
          Action: Allow
          Service: HTTP
          Source: Any
          Destination: Any
          Users allowed: Trusted Users
          Schedule: Always on

By Specifying the “Trusted Users” group, you are forcing the SonicWALL to determine if the user trying to access the web is a member of the trusted users group. (As said previously, all users are members of the trusted users group, so it is a safe group too use in the “Users Allowed” field)

Once you click on “Add”, all users trying to access an HTTP based web page, will now be redirected to a SonicWALL login page. If you want users to log in when accessing other web services such as ftp or https, you will need to create a service group in: Firewall>Services and add any services you wish to have users log into the SonicWALL when accessing. After said group is created, you would use it in place of “HTTP” for the service option in the rule shown above.


0. Background

SonicWALL SSO is a reliable and time-saving feature that utilizes a single login to provide access to multiple network resources based on administrator-configured group memberships and policy matching. SonicWALL SSO is transparent to end users and requires minimal administrator configuration.

SonicWALL SSO works for any service on the SonicWALL security appliances that uses userlevel authentication, including Content Filtering Service (CFS), Firewall Access Rules, group membership and inheritance, and security services (Application Firewall, IPS, GAV, and SPY) inclusion/exclusion lists.

Other benefits of SonicWALL SSO include:
    • Ease of use — Users only need to sign in once to gain automatic access to multiple resources.
    • Improved user experience — Windows domain credentials can be used to authenticate a user for any traffic type without logging in using a Web browser.
    • Transparency to users — Users are not required to re-enter user name and password for authentication.
    • Secure communication — Shared key encryption for data transmission protection.
    • SonicWALL SSO Agent can be installed on any Windows server on the LAN, and TSA can be installed on any terminal server.
    • Multiple SSO Agents — Up to 8 agents are supported to provide capacity for large installations
    • Multiple TSAs — Multiple terminal services agents (one per terminal server) are supported. The number depends on the SonicWALL UTM appliance model and ranges from 4 to 256.
    • Login mechanism works with any protocol, not just HTTP.

1. Configuration

   1) Login to your SonicWALL security appliance.
    2) Navigate to Users > Settings.
    3) In the Single-sign-on method drop-down menu, select SonicWALL SSO Agent.
    4) Click Configure button.The SSO configuration page is displayed.
    5) In the Name or IP Address field, enter the name or IP Address of the workstation on which SonicWALL SSO Agent is installed.
    6) In Port Number, enter the port number of the workstation on which SonicWALL SSO Agent is installed. The default port is 2258.
    7) In the Shared Key field, enter the shared key that you created or generated in the SonicWALL SSO Agent. The shared key must match exactly. Re-enter the shared key in the Confirm Shared Key field.
    8) In the Timeout (seconds) field, enter a number of seconds before the authentication attempt times out.
    9) In the Retries field, enter the number of authentication attempts.
    10) Click the Users tab. The User Settings page displays.
    11) Check the box next to Allow only users listed locally to allow only users listed locally to be authenticated.
    12) Check the box next to Simple user names in local database to use simple user names. This setting ignores the domain component of a user name. If this box is not checked, user names in the local database must match exactly the full names returned from the agent, including the domain component.
    13) Check the box next to Allow limited access for non-domain users to allow limited access to users who are logged in to a computer but not into a domain. These users will not be given access to the Trusted Users user group. They are identified in logs as computer-name/user-name. When performing local and the Simple user names in local database option is disabled, user names must be configured in the local database using the full computer-name/user-name identification.
    14) To use LDAP to retrieve user information, select the Use LDAP to retrieve user group information radio button. Click Configure to configure the LDAP settings. The LDAP Configuration page displays.
    15) To use local configuration, select the Local configuration radio button.
    16) In the Polling rate (minutes) field, enter a polling interval, in minutes, that the security appliance will poll the workstation running SSO Agent to verify that users are still logged on.
    17) In the Hold time after (minutes) field, enter a time, in minutes, that the security appliance will wait before trying again to identify traffic after an initial failure to do so. This feature rate-limits requests to the agent.
    18) Click on the Content Filter tab if you are using the SonicWALL Content Filtering Service (CFS) and there is a proxy server in your network.
          Note: The Content Filter tab is only displayed if Premium CFS is enabled on the SonicWALL security appliance.
    19) To bypass SSO for content filtering traffic and apply the default content filtering policy to the traffic, select the appropriate address object or address group from the pulldown menu.

This setting should be used where traffic that would be subject to content filtering can emanate from a device other than a user's workstation (such as an internal proxy web server). It prevents the SonicWALL from attempting to identify such a device as a network user in order to select the content filtering policy to apply. The default content filtering policy will be used for all traffic from the selected IP addresses.

    20) Click the Test tab. The Test Authentication Agent Settings page displays.
    21) Select the Check agent connectivity radio button then click the Test button. This will test communication with the authentication agent. If the SonicWALL security appliance can connect to the agent, you will see the message Agent is ready.
    22) Select the Check user radio button, enter the IP address of a workstation in the Workstation IP address field, then click Test. This will test if the agent is property configured to identify the user logged into a workstation.

Note: Performing tests on this page applies any changes that have been made.

Tip: If you receive the messages Agent is not responding or Configuration error, check your settings and perform these tests again.

    23) When you are finished, click OK.Hope that helps. Let me know if you have any other questions!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Robert AdvancedideaAuthor Commented:
Wow -- this is exactly what I needed. I will be doing the work this weekend. Sorry for the slow response, but I really do appreciate your time and excellent posting. In regards to the SSO setup, is there a client that I need to download from SonicWall (Dell) and install on each of the workstations or is that built into the firewall as an app?

As a side note, I have been asking questions on EE for years and have never had this level of detail and formatting. I really appreciate it.

Thank you
Robert AdvancedideaAuthor Commented:
Thank you -- Wonderful solution and excellent detail.
Blue Street TechLast KnightCommented:
Wow thank you for the complements!

I'm glad I could help. Feel free to contact me anytime you have some questions!

In case you didn't locate the answer to your second to last post, yes you do need to intsall an SSO Client. Below are the pre-requisite:

To use SonicWALL SSO, it''s required that the SonicWALL SSO Agent be installed on a server within your Windows domain that can reach clients and can be reached from the appliance, either directly or through a VPN path. Here are the reqs to run the SSO Agent:

Port 2258 must be open; the firewall uses UDP port 2258 by default to communicate with SonicWALL
SSO Agent; if a custom port is configured instead of 2258, then this requirement applies to the custom port
Windows Server, with latest service pack:
   - Windows Server 2008, 32-bit and 64-bit
   - Windows Server 2003, 32-bit and 64-bit
   - Windows 2000 Server, 32-bit and 64-bit
.NET Framework 2.0 or higher
Net API or WMI

Thanks again!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.