Using Application Control with Policy Manager across different groups - New User

[Fred59]

Hi,

I am at the start of my Untangle journey and just getting to grips with things.

I’ve blocked a lot of applications that I don’t want people getting access to in default policy including Dropbox, Facebook, Twitter, YouTube, box. Now this works fine until I want to allow marketing access to Facebook and Twitter and then allow Management access to Dropbox.

I thought I would be able to just block everything I didn’t want with Application Control in the default policy and then setup a new policy for Marketing as a child of the default policy and simply allow Facebook and twitter through Application control in there.

But that doesn’t work, they get access to Facebook and Twitter but they also get everything else that I blocked in the default policy, so it appears that I will need to replicate every blocked item from the default policy applications control into the marketing’s policy application control and then allow the bits that I want them to get access to.

This seems like a lot of duplication of work or have I missed something?

Thanks

[sky-knight]

Yes, there is duplication.

So, you configure a default rack with a policy set, then you make a child. The child simply uses the rack applications of the parent, if you install a given app, say web filter, now that child has an entirely separate rack application that needs configured. That new instance doesn't import anything from the parent, it's new.

Now this probably seems rather inconvenient, but think about it for a moment. How is Untangle to know what settings you do and don't want?

The time saved with child racks means all rack applications you do not install in the child get settings from the parent. And you can only have one policy active for each network session. So if you make rack that blocks Facebook, and a rack that passes Facebook, then your policy rules choose facebook on or off. I've never tried to pass a piece of Facebook, and given the way that service works I'd be surprised if that was even possible.

[chaycock]

>Now this probably seems rather inconvenient, but think about it for a moment. How is Untangle to know what settings you do and don't want?

I would have it copy everything, then you could customize the child from that point on. Having it do that would have saved me a ton of time. It takes much longer to duplicate everything in the child that is in the parent that I want to keep than it would to have the child start with a copy of the parent and then just tweak the child.

[Sam Graf]

Don't the import/export features help here? Or am I thinking of something else?

[chaycock]

Don't the import/export features help here? Or am I thinking of something else?

It depends on the app. For example, the Application Control does have import/export, whereas the Web Filter does not.

[Sam Graf]

So for the OP, though, it would be possible to simplify the process. No need to manually "replicate every blocked item."

I do wish the import/export feature was everywhere. That would make rack/policy management pretty painless. Maybe it would be fine if child apps replicated their parent. I'd have to think about that, but no red flags are popping out at me at the moment.

[sky-knight]

Replicating the initial configuration seems simple enough, but replicating settings after that would be a technically difficult if not impossible task.

[Fred59]

Thanks for the input everybody.

I successfully tried the export/import method and that worked, to export the default application policy and then import it in to the new child policy application control.

So yes it does save me a bit of time and work but I do realise that any changes that I want to make in terms of blocking additional applications will have to be made to each separate policy.

[Sam Graf]

It's true that there is no completely painless way to enjoy the power of the rack system.

[chaycock]

Replicating the initial configuration seems simple enough, but replicating settings after that would be a technically difficult if not impossible task.

Agreed. I did not make my suggestion clear. What I propose is to do the replication once when the child was created and then from that point forward, there is no linkage between the two.