AD Connector / Policy manager??

tracyprier · 11-04-2009, 04:14 PM

Hi gang

I have been using UT for a while now in our company. I now have a need to allow certain groups access to sites we don't want others getting to i.e. marketing getting to youtube etc.

I am a little uncertain of what apps I need to do this, do I need Policy Manager, AD connector or both??

We run a server 2003 domain with AD.

Can I setup seperate groups (unconnected to AD) with Policy manager alone??

Appreciate input on this.

Thanks
Tracy

sky-knight · 11-04-2009, 04:48 PM

You need the policy manager to have multiple racks, and create your different security contexts.

You need the AD connector to be able to route traffic into the racks by user name.

No, you can't use groups... it has to be user.

Beyond that you can also route traffic into racks with CIDR style network ranges.

Big D · 11-04-2009, 08:47 PM

AD group support is on the roadmap but it don't work yet, yes it does show up but its just there to tease you.

AD connector functions by running a script that run in the background and updates UT IP mappings every 5 minutes I believe. This is usually done via a group policy object or script at login.

tracyprier · 11-09-2009, 11:21 AM

OK, so I only really need PM and I can just set up users within that. It will only be a handful of people so it doesn't sound like AD connector would be of any real benefit?

gotkimchi · 11-09-2009, 11:26 AM

if the users have their own PC, you can use just the policy manager. Make sure they have static IPs and create policies based on IPs. If the users share PCs and login from all over the network (different PCs), you might want to use the AD and the policy manager.

tracyprier · 11-16-2009, 12:21 PM

Quote:

Originally Posted by gotkimchi

if the users have their own PC, you can use just the policy manager. Make sure they have static IPs and create policies based on IPs. If the users share PCs and login from all over the network (different PCs), you might want to use the AD and the policy manager.

Do you mean I would need to give every user a static IP or just the ones I wanted to redirect (i.e. the users in marketing)??

thanks
Tracy

joemailey · 11-16-2009, 02:10 PM

Quote:

Originally Posted by tracyprier

Do you mean I would need to give every user a static IP or just the ones I wanted to redirect (i.e. the users in marketing)??

thanks
Tracy

Just the uses you want to redirect. providing they don't switch PCs.

Wrencher · 12-16-2009, 01:00 PM

Rather than create static IPs, I used DHCP reservations per another suggestion elsewhere in the forum, which has worked well here for website bypass. I then have OpenDNS protecting those users.

JustinRocks · 02-05-2010, 03:30 PM

tracyprier
Did you get this to work? If so How?
I want to allow a specific website to a specific user or IP

Thanks

mdh · 02-05-2010, 06:33 PM

JustinRocks,

Your issue is not as simple as it sounds to you. There is not one Facebook, because Facebook is too widely used. There are a large number of IP addresses that are assigned to Facebook, and your problem is not on the user end, its on the host end. You have to know all of the host IPs and make firewall rules, then keep checking on a regular basis to see if there are new hosts assigned to Facebook. That could be a full time job.

11-04-2009, 04:14 PM	#1 (permalink)
tracyprier Untanglit Join Date: Aug 2009 Posts: 27	AD Connector / Policy manager?? Hi gang I have been using UT for a while now in our company. I now have a need to allow certain groups access to sites we don't want others getting to i.e. marketing getting to youtube etc. I am a little uncertain of what apps I need to do this, do I need Policy Manager, AD connector or both?? We run a server 2003 domain with AD. Can I setup seperate groups (unconnected to AD) with Policy manager alone?? Appreciate input on this. Thanks Tracy

11-04-2009, 04:48 PM	#2 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,454	You need the policy manager to have multiple racks, and create your different security contexts. You need the AD connector to be able to route traffic into the racks by user name. No, you can't use groups... it has to be user. Beyond that you can also route traffic into racks with CIDR style network ranges. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

11-09-2009, 11:26 AM	#5 (permalink)
gotkimchi Administrator Join Date: Jan 2007 Location: Bay Area Posts: 2,075	if the users have their own PC, you can use just the policy manager. Make sure they have static IPs and create policies based on IPs. If the users share PCs and login from all over the network (different PCs), you might want to use the AD and the policy manager. __________________ to be understood, you must first understand. Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com

02-05-2010, 03:30 PM	#9 (permalink)
JustinRocks Untangler Join Date: Feb 2010 Posts: 39	Did this work tracyprier Did you get this to work? If so How? I want to allow a specific website to a specific user or IP Thanks

02-05-2010, 06:33 PM	#10 (permalink)
mdh Join Date: Aug 2007 URLs submitted: 171 Posts: 4,802	JustinRocks, Your issue is not as simple as it sounds to you. There is not one Facebook, because Facebook is too widely used. There are a large number of IP addresses that are assigned to Facebook, and your problem is not on the user end, its on the host end. You have to know all of the host IPs and make firewall rules, then keep checking on a regular basis to see if there are new hosts assigned to Facebook. That could be a full time job. __________________ This space reserved for profound thought.....which does happen on occasion."

Protect

Filter

Perform

Connect

Manage

Add-Ons

11-04-2009, 08:47 PM	#3 (permalink)
Big D Master Untangler Join Date: Nov 2008 Posts: 691	AD group support is on the roadmap but it don't work yet, yes it does show up but its just there to tease you. AD connector functions by running a script that run in the background and updates UT IP mappings every 5 minutes I believe. This is usually done via a group policy object or script at login.

11-09-2009, 11:21 AM	#4 (permalink)
tracyprier Untanglit Join Date: Aug 2009 Posts: 27	OK, so I only really need PM and I can just set up users within that. It will only be a handful of people so it doesn't sound like AD connector would be of any real benefit?

12-16-2009, 01:00 PM	#8 (permalink)
Wrencher Newbie Join Date: Nov 2008 Posts: 10	Rather than create static IPs, I used DHCP reservations per another suggestion elsewhere in the forum, which has worked well here for website bypass. I then have OpenDNS protecting those users.