We've seen it happen in many different organizations: Marketing needs access to Twitter and Facebook, but leaving these open drives productivity down in other departments. The solution is simple - using Policy Manager, create an additional rack for the Marketing department which allows them (and only them) to access social networking sites.
There are two steps to this process - creating a new rack and sending users to that new rack. The instructions below will walk you through setting up an additional rack and sending users to it.
Creating and configuring a new rack
- click Settings on Policy Manager, then click Add in the Policies tab to add a new rack.
- Give it a name, description, and set the Parent Rack to "Default Rack". Hit Done, then Apply.
- Click OK to return to the main rack view.
- Near the top there will be an entry that says Default Rack with an arrow by the side, click this arrow and select your new rack.
When viewing your new rack, you'll notice you cannot click Settings on the applications because they are grayed out. This is because this is a "Child Rack"; all settings in these applications are being copied from the "Parent Rack" you set in Policy Manager.
- Click Apps > Web Filter > Install, which will install a new instance of Web Filter into this rack (overriding the one from the Parent Rack) and allow you to configure it.
At this point, all "greyed-out" apps are copying their configuration from the Default Rack while the Web Filter settings only come from this instance of Web Filter. This enables you to keep settings for virus scanning and spam blocking the same between racks and only change web filtering settings, which is by far the most often use case - simply configure Web Filter to allow the sites you want and save.
Rack configuration is done - as soon as you send users to this rack they will start being filtered by the new rules. Now you'll need to set up policies to get users to that rack, we'll go over how to do that next. We've covered the two most often used methods, however there are many more options such as policies by interface as well as having time-based policies which let you do things like allow social networking sites for all employees during lunch only. Feel free to explore once you get the hang of it!
Creating policies based on IP address
Setting users to either static IPs or static DHCP entries is a good idea if you're going to set up policies by IP.
- Click Settings on Policy Manager, then click Add under the Rules tab.
- Give a description, like "Move Marketing to Allow Facebook", then click the Add button to start adding conditions.
- For Type select "Source Address" and in the Value field include the IP(s) you want going through the new rack - you can enter single IPs (192.168.1.10), ranges (192.168.1.10-192.168.1.15), or use CIDR notation (192.168.1.0/24).
More specific information on syntax is available here.
- Once you enter the IP(s), choose what rack to send them to in the "Target Rack" entry near the bottom, then click Done and Apply.
Creating policies based on Username or Group Name
Using Directory Connector or Captive Portal with Policy Manager will allow you to create policy rules by username or group name. User name and group name are both available when used with Active Directory; only user name is available when used with NG Firewall's built-in Local Directory.
To send users to a rack by username, simply follow the instructions above and select the "Group" or "Username" condition instead of "Source Address" in your policy rule.