Blocking Thin Clients from internet

v8scimitar · 06-21-2011, 08:00 AM

Currently we have 3 racks and 2 policies. The default rack, unrestricted rack and a blocked rack. Policy wise we have the unrestricted and the blocked policy oh and nearly forgot we have a no rack policy as well ordered Blocked>>Unrestricted>>No Rack. This works great, we have the AD connector and users log in and go to the proper rack. Trouble now is that we are bringing in thin clients which aren't on the domain. This means that anybody using a thin client will automatically go to the default rack but we will not be able to report on them as they haven't passed on their user name via the AD logon script. So now the question. How can I get it so that if they have no user name logged they go to the blocked rack? I did think about creating a new policy directing to the default rack with say the domain user group but I don't know how to then direct them to the blocked rack. Another idea was as before create a default policy and another thin client policy at the bottom. So they go to the internet and if they have a user name and it is in the blocked policy they are stopped. If not they go to the unrestricted rack if not the default and then have the Thin Client rack with (any) which by default should stop them. I should add that I dont really want to mess with the default rack settings as there is a lot of work and settings in there so setting the default to block and recreating another default rack isn't a preferred option.

What do you think, or is there a better solution?

Any help, comments appreciated.

Mark

hlarsen · 06-21-2011, 08:19 AM

it's usually better to have the default rack be the most restrictive, so if (for whatever reason) no policies are matched they will default to being blocked rather than being allowed. you should be able to import/export most app settings, but you will need to recreate some (web filter categories, for example) manually.

you may also want to try using the 'unauthenticated' user in the Policy Manager settings, but i haven't seen it used too much in practice.

v8scimitar · 06-21-2011, 08:26 AM

I have never actually noticed the authenticated/unauthenticated before. In theory now I know this I should just be able to add unauthenticated to the users of the blocked policy and it will stop them?

06-21-2011, 08:00 AM	#1 (permalink)
v8scimitar Newbie Join Date: Aug 2008 Posts: 14	Blocking Thin Clients from internet Currently we have 3 racks and 2 policies. The default rack, unrestricted rack and a blocked rack. Policy wise we have the unrestricted and the blocked policy oh and nearly forgot we have a no rack policy as well ordered Blocked>>Unrestricted>>No Rack. This works great, we have the AD connector and users log in and go to the proper rack. Trouble now is that we are bringing in thin clients which aren't on the domain. This means that anybody using a thin client will automatically go to the default rack but we will not be able to report on them as they haven't passed on their user name via the AD logon script. So now the question. How can I get it so that if they have no user name logged they go to the blocked rack? I did think about creating a new policy directing to the default rack with say the domain user group but I don't know how to then direct them to the blocked rack. Another idea was as before create a default policy and another thin client policy at the bottom. So they go to the internet and if they have a user name and it is in the blocked policy they are stopped. If not they go to the unrestricted rack if not the default and then have the Thin Client rack with (any) which by default should stop them. I should add that I dont really want to mess with the default rack settings as there is a lot of work and settings in there so setting the default to block and recreating another default rack isn't a preferred option. What do you think, or is there a better solution? Any help, comments appreciated. Mark

06-21-2011, 08:19 AM	#2 (permalink)
hlarsen Join Date: Jul 2010 Location: sfba URLs submitted: 1 Posts: 1,139	it's usually better to have the default rack be the most restrictive, so if (for whatever reason) no policies are matched they will default to being blocked rather than being allowed. you should be able to import/export most app settings, but you will need to recreate some (web filter categories, for example) manually. you may also want to try using the 'unauthenticated' user in the Policy Manager settings, but i haven't seen it used too much in practice. __________________ Attention: Support on the Untangle Forums is provided by volunteers and community members. If you need official Untangle support please call or email support@untangle.com.

Protect

Filter

Perform

Connect

Manage

Add-Ons

06-21-2011, 08:26 AM	#3 (permalink)
v8scimitar Newbie Join Date: Aug 2008 Posts: 14	I have never actually noticed the authenticated/unauthenticated before. In theory now I know this I should just be able to add unauthenticated to the users of the blocked policy and it will stop them?