For some RDS users exception from web site blocking (USG Flex 500)

DG_1 · February 2023

Hello All,
We block certain websites for users. Users work on an RDS server, we use AD, and the AD and LDAP query are set on USG. In the Policy Control, at the USER drop-down menu I set exception for AD group, but it does not work.

How can I set this?

Zyxel_James · February 2023

Hello @DG_1

Welcome to Zyxel community!

I would like to check on your configuration, please provide screenshots of your network topology, policy control settings, and user exception settings, thank you.
Moreover, do you configure the user group as ext-group-user type?

Image: https://us.v-cdn.net/6029482/uploads/editor/fp/nonjis34tzdb.png

James

DG_1 · February 2023

Hello James!

Network topology:

Address:

Address Group:

User setting (and the result if I test the user):

User group for whom I want to block access to the specified websites::

Image: https://us.v-cdn.net/6029482/uploads/editor/7u/ru6xbkmx5c7x.png

Policy Control settings:

Image: https://us.v-cdn.net/6029482/uploads/editor/yx/e9cj5wq7oeey.png

The user can open the test website, what I want to block:

Image: https://us.v-cdn.net/6029482/uploads/editor/rn/g0rtwrxedkr1.png

In the policy if the User is "Any", it works the blocking for all users. If I set filter for the User (it doesn't matter I set up a user or a user group), it does not work.

What I do wrong? Does it matter that the user works on a remote desktop?

zyman2008 · February 2023

DG_1,
As I know, Zyxel firewall doesn't support to identify different user's sessions from the same Terminal Server.
user1 -> RDS IP address
user2 -> RDS IP address

It can support users in different workstation. (different IP addresses)
user1 -> PC1 IP address
user1 -> PC2 IP address
user2 -> PC3 IP address

The user's login is mapping to IP address.
And the policy matching is by IP address.

DG_1 · February 2023

Hello Zyman2008,
Is it possible to do it with SSO?
https://support.zyxel.eu/hc/en-us/articles/360015338620--SSO-Agent-2-0-Supporting-AD-Windows-Server-2019

zyman2008 · February 2023

Hi @DG_1,
Sorry, I don't know much about it.

Zyxel_James · February 2023

Hello @DG_1

As @zyman2008 mentioned, the security policy is matched by the IP address of the user login.

For example, once the website-limited user login with the IP 192.168.1.33, the device will block from 192.168.1.33 to the specific websites, and now if there is a website-allowed user login with the same computer, it will get 192.168.1.33 resulting in being blocked as well.

However, if the website-limited user logs out first and then the website-allowed user logs in after, you will find the website-allowed user is able to access the specific websites because now the IP address 192.168.1.33 is matching to the website-allowed user instead of the website-limited user.

Moreover, SSO service phased out by September 2022.

James

DG_1 · February 2023

Hello!

I have to fulfill the management's request. So what solution can you suggest?

Maybe there is a way to identify the excluded persons in some way, which I can handle on the firewall? I should not block eg. Facebook for management.

Zyxel_James · February 2023

Hello @DG_1

The scenario is not achievable. The device determines the user by the IP address that the user logon.

As I mentioned, the website-allowed user won't be blocked if the website-limited user logs out first and then the website-allowed user logs in after, so that the IP address will be matching to the website-allowed user instead of the website-limited user.

James

For some RDS users exception from web site blocking (USG Flex 500)

All Replies

Categories

Security Highlight

Security Help Center