Custom Access Policies
Just like Access Rules, Custom Access Polices have three types, Permission, Restriction, and Combination. Each CAP can only be configured as one type however you can configure multiple CAPs with different Access Types depending on your requirements.
Like Access Rules, Custom Access Policies can be used to filter based on Domain User Names, Groups, IP Addresses, or Anonymous users. The CAPs are the primary method of applying Allow/Deny restrictions, Quotas, and Schedules to Web Users in your environment.
The Custom Access Policy Properties Page
bt-WebFilter Standalone and ISA/TMG Filter ship with a ‘Default Custom Access Policy’. This CAP utilizes the ‘Default’ policy type (Dependent upon the Access Rules Properties setting) which, for a new install, is a Restriction type. It denies several Categories that Burstek defines as ‘Legal Liability’ and is applied to ‘Unauthenticated Access’. What this means for your organization is that if you set your browser settings to use the server where WebFilter is installed, you would be denied access to XXX and Gambling sites just to name a few.
Note: If you are using bt-WebFilter for ISA/TMG you would need a firewall rule that allowed ‘All Users’ to use HTTP and HTTPS. If your rule instead uses ‘Authenticated Users’ or domain names, then the traffic would pass through with an actual user name and would not be denied
The Common Information Tab
This first tab under the ‘Properties’ of the Custom Access Policy (see figure 12) defines how this policy will filter users. The tab has 2 configuration buttons labeled ‘Advanced Redirect Page Options’ and ‘Individual Access Policy Type’ (IAP). The IAP is the same for the Access Rules previously discussed (see Access Policy Types) however if the IAP is set at the CAP level, it overrides the Access Rule level IAP.
The Common Information tab also contains the fields for naming your CAP (I.E. Production – Deny – Social Networking Sites) as well as entering the URL for a redirect page that is displayed to users when a URL or Category is blocked.
Note: HTTPS (SSL/443) sites that are blocked cannot be redirected. As a result, the user will only receive a ‘Page Cannot be found’ message. This is due to the HTTPS protocol which prevents redirection.
When using one of the supplied Advanced Redirect Pages that Burstek Includes with its software, the ‘Advanced Redirect Pages Options’ button provides you with the ability to specify how long a user should have access to a blocked URL.
The ‘Allow’ and ‘Deny’ tabs
The ‘Allow’ and “Deny’ pages are only functional depending on the Access Policy type that is chosen. A permission policy for example, denies all access unless specifically allowed. If used, you would then add entries to the ‘Allow’ tab. A Restriction policy on the other hand only Denies access so the ‘Allow’ tab has no bearing on this type of Access Policy. A Combination Policy, because it is essentially both types in one, will use both the ‘Allow’ and ‘Deny’ tabs.
Adding an entry to either tab will bring up an ‘Access Object Properties’ page which allows you to configure the specifics for the URL or Category that you working with. On this page you can specify the URL(s), Category(s), and the Schedule for when the ‘Allow’ or ‘Deny’ should take place.
If you choose the ‘Category’ option, when you click on the ‘Details’ tab, you will see a list of all Categories currently configured in WebFilter allowing you to choose one or more to be applied. If you would like to select multiple Categories however, and you would like them to have different Schedules, you can simply add the Categories for the first Schedule, then go back and add the next Categories for the second Schedule.
Note: Schedules may not be created on the ‘Schedule’ tab of the Access Object properties page. To configure Schedules, use the ‘Schedule’ object in the Management Console Tree.
The Quotas Tab
The Quota tab allows you to assign an existing quota to the Custom Access Policy (CAP). Quotas define how much Bandwidth a user or group can use and/or how much Time (in Minutes) they are allowed to access a certain Category or Website. Quotas can also be set for Daily, Weekly, or Monthly resets as well as Strict (Access Denied when limit reached) or Lite (Access permitted but logs generated) severity.
Just like with Schedules, you can set a single Quota for all Categories and URLs on a specific CAP or you can specify different Quotas for each entry in your CAP.
Note: Quotas at the Custom Access Policy level affect all users that are applied to the policy. If you need a quota for an individual user, please use the Individual Rights option under the Domain Access Rule.
The Access Object Properties page displayed when adding a Quota is very similar to the page when adding Categories to Allow/Deny tabs except that there is now a ‘Quota’ tab that allows you to specify the Quota to be used for these Categories/URLs.
For more information regarding Quotas, please refer to the ‘Administrators Guide - Using Quotas’
The ‘Apply To’ Tab
The ‘Apply To’ tab allows you to enter all the IDs that should be governed by this policy. In the figure below (see figure 19), you can see we have an Individual User, an Active Directory Domain Group, an IP Address Range, an Individual IP address and even Unauthenticated Access.
Note: This is for demonstration purposes to show that you can utilize multiple IDs on the ‘Apply To’ tab. In a production environment, if you are requiring user authentication or in the case of WebFilter Standalone, require Proxy Authentication, then anonymous access is not permitted and would not need to be added. Alternately, if you were not requiring authentication, then the Domain User or Domain Group would not need to be added since browser traffic first tries to access anonymously.
The ‘Exemptions’ Tab
You may wish to simply apply a single Custom Access Policy (CAP) to the Domain Users group or your entire IP address range for simplicity; however, you would also need to exclude certain machines or individuals. The ‘Exemptions’ tab provides this functionality allowing you to exclude users or IP addresses on an ‘as-needed’ basis.
Note: When excluding IP addresses, the IP address must be part of the range of IPs configured under the ‘IP Access Rule’. If an incorrect IP address is chosen, an information box will be displayed telling you that the IP address does not belong to any of the selected IP Ranges.