HELP! User-Account Table not blocking AD Users

[jjabara]

So I've got everything set up correctly. All my AD info is in and I can see all of my OU's and usernames etc.



How in the heck do I get it to actually USE the user-account table to block and set policy? I've tried everything I can think of and no matter what I do it won't use AD alone for blocking rules. What exactly do I need to do here to get it to only specifically use my AD user information and OU's?



I'd love to be able to just Unblock or block a specific user or users via searching for their name and adding them to Unblock or a specific block policy. That just isn't working. Then if I add the block policy to all of the user-computer tables I have to manually search for each individual user I want to unblock or change to another policy.



We have 1208 AD users and that is taking me forever.



Any tips or tricks on how I can 100% get it to ONLY use my AD User-Account Tables to block/unblock/set policy?



Thanks

[imfirewall]

Please notice that the "ip policy" and "computer policy" also can block internet.



If you want to use "account policy" only, you need to set "default ip policy" and "user-computer table"'s "blocking rules" to "no blocking".



When an internet activity is detected, WFilter checks blocking in below steps:



1. If this ip's blocking policy is "Default ip policy", check "default ip policy" for blocking or not.



2. If this ip is assigned with a blocking policy, check this policy for blocking or not.



3. If ip is not blocked by ip policies, check the user's policy.

[imfirewall]

I can understand that setting policy for users takes a lot of time when you have a lot of ad users. For current 4.0 version, you can set policy for OUs by clicking "Change Multiple Settings" in "user-account table".



In the next version(WFilter 4.1), we've added a "Default OU Policy" for you to set default policy for each OU. Users in this OU will be applied with a default policy. This makes things much easier.

[jjabara]

Thank you for response. So I follow your suggestions and I have NO Data in Default IP Policy and all of my User-Computer Table IP are set to DO NOT BLOCK (should I delete all of the existing IP's as well from that list?) but it is still not blocking from just my AD account into set to block policy in the User-Account Table.



Do I need to remove all of my IP segments in the System Syterms > Monitoring Settings? I just have listed there all of my Network IP Segments in DHCP.



My goal here is to have it monitor about 1100 of my users on one major policy that is currently set to block social networking/streaming media etc but have about 50-60 users NOT blocked. I feel this will be easiest if I can just select those 50-60 users in the User-Account Table from AD to DO NOT BLOCK but leave the rest of AD users to be block.



Problem I'm still having is that if I remove all IP info from Default IP Policy and User Computer Table and just leave the User Account Table set with block policy none of my users are being blocked. Also I did not notice any option in User-Account Table to set for Recording Policy, only Blocking Policy. Do I need to set Recording Policy in the User-Computer Table?



Thanks a lot for your help I think we are close on getting this resolved.



JJ

[jjabara]

Actually quick follow-up. I added a 0.0.0.0 - 255.255.255.255 DO NOT BLOCK IP range as the only default policy then made sure all user computer table blocking rules were set to DO NOT BLOCK and my AD policy started working correctly and blocking.



I assume that if I leave Recording Policy set to HIGH in User-Computer Table it will keep recording via that setting?



Thanks

[imfirewall]

jjabara wrote: Actually quick follow-up. I added a 0.0.0.0 - 255.255.255.255 DO NOT BLOCK IP range as the only default policy then made sure all user computer table blocking rules were set to DO NOT BLOCK and my AD policy started working correctly and blocking.



I assume that if I leave Recording Policy set to HIGH in User-Computer Table it will keep recording via that setting?



Thanks

That's great news. The recording level shall be configured in "user-computer table" and "default ip policy", "user-account table" only set blocking policy for users.



Please notice, for the user policy to work, the computers shall be "monitored".



Let me explain the rules:



1). Only "monitored" computers can be applied by "recording levels" and "blocking levels".



2). "Recording level" is applied to computers only.



3). Steps of blocking:(for WFilter 4.0 only)



3.1) If an ip's blocking policy is "Default ip policy", check "default ip policy" for blocking or not.



3.2) If this ip is assigned with a blocking policy, check this policy for blocking or not.



3.3) If ip is not blocked by ip policies, check the logon user's policy.