Ok, I'm missing something....

**allroy** · 01-29-2009, 08:15 AM

Ok, I don't get it. I've got a tiny domain at home (win2k3 AD). For the family. Kids are getting older and wanting time on the computers, but I want to block them from the nasty stuff.

Searching around for a good firewall/web filter that will work with AD and so I end up here.

Untangle looks awesome and simple and free/cheap. So I install it. It IS awesome and simple and free/cheap!

So what I want to do is create rules based on Groups. I can't do that. Fine, because I can create separate racks with filters that will allow me to group users and give different accounts different access.

Like I said this is for my home network so it's not a huge problem to manage the racks this way. I want an "adults" rack and a "kids" rack. So I create them. in the Policy Manager I set a rule that should say if the AD user is "Kid1" or "kid2" then use the "NoPorn" Rack. In the No Porn Rack i have web filter set up to block bad stuff.

It doesn't work. I assume because I ONLY set AD user names as the criteria. From everything I've read - you HAVE to put in an IP. Well...what if I want to go to the kids room to fix something and need access to stuff I'm not giving them? or what if the kids go on the main PC and want to log on and do stuff? it seems to ONLY be filtering by IP...so my question is...

if it has to be done by IP, what's the point of having (and eventually paying for) the AD Connector and Policy Manager? as far as I can tell the AD connector doesn't really do anything except let you pull names...but not actually do anything with them.

what is it that I'm missing here?

Thanks!

**sky-knight** · 01-29-2009, 08:42 AM

Your AD connector is misconfigured or something is wrong. I use AD user names to route to racks all the time. That is the point of the AD Connector as it integrates with the policy manager.

Now, in my case the AD's I use this on are all 2k3 like yours. I can tell you that the configuration of the AD connector is a bit more annoying than it should be.

Can your AD connector actually see a list of users? If that screen isn't pulling the user list your AD connector needs help.

**allroy** · 01-29-2009, 09:07 AM

Yes, it pulls the list of users, I put check boxes next to them.

I know the rule is set right because if I put my IP it works, it just doesn't seem to work by user name.

**sky-knight** · 01-29-2009, 12:02 PM

Do you have the login script running on the client? Without it Untangle has no way to match the user to the IP they are using.

https://untangleip/adpb/debug

Use the above URL and it will show you the current map of users to IP address. If that map isn't populating, your policies have nothing to go on.

**mdh** · 01-29-2009, 01:20 PM

That script is essential for it to work. I also read carefully, and while I read that you have a domain, I did not read that people actually have to login TO the domain. No domain login -> no group policy -> no script

**allroy** · 01-29-2009, 01:24 PM

Originally Posted by sky-knight

Do you have the login script running on the client? Without it Untangle has no way to match the user to the IP they are using.

Use the above URL and it will show you the current map of users to IP address. If that map isn't populating, your policies have nothing to go on.

Current user table:

BLANK!

I think you're on to something here. I read a bunch of stuff but didn't see anything specific about scritps. I have NO problem doing this...just....what am I supposed to do? I assume this is something I'll have to call from the AD login script?

Its not fixed yet, but you've at least let me know what I'm probably doing wrong so far.

Thanks!!!

**allroy** · 01-29-2009, 02:29 PM

Originally Posted by mdh

That script is essential for it to work. I also read carefully, and while I read that you have a domain, I did not read that people actually have to login TO the domain. No domain login -> no group policy -> no script

yeah, sorry. you're good. Yes, all the PCs are members of the domain and the plan is to make everyone log into it.

**sky-knight** · 01-29-2009, 02:54 PM

Look in the AD Connector rack module, just below the AD Test button, there is a button to download the AD Script.

That Script has to be installed in your DC's login script area in Sysvol

The easy way to see it is to look at your server's NETLOGON share.

\\server\NETLOGON

Put the VBS file in there, and get into group policy and assign it as a login script for the everyone group. Then relogin with a domain account and you should see wscript.exe running in task manager, and use the above debug to see your current user name and IP listed.

**allroy** · 01-29-2009, 10:38 PM

Thanks a lot. I feel like a total tool for missing that in the documentation. Through the AD setup, I just breezed through. Thought....cool, it's working when it pulled back the list of names. FAIL!

thanks a ton sky-knight and mdh!

**sky-knight** · 01-29-2009, 10:41 PM

Well hey you get props for coming here looking for one of the rarest features in the security market. Granted, it isn't perfect, and if you read that script you will see why.

But it does rather nicely allow you to control user access on a human level. It's always nice to get a way to attach process logic to the people that we want to protect, instead of the machines they are using.

Protect

Filter

Perform

Connect

Manage

Add-Ons

Thread: Ok, I'm missing something....

LinkBack

Thread Tools

Ok, I'm missing something....

Posting Permissions