For some RDS users exception from web site blocking (USG Flex 500)

Hello All,
We block certain websites for users. Users work on an RDS server, we use AD, and the AD and LDAP query are set on USG. In the Policy Control, at the USER drop-down menu I set exception for AD group, but it does not work. :(
How can I set this?

All Replies

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    edited February 2023
    Hello @DG_1
    Welcome to Zyxel community!
    I would like to check on your configuration, please provide screenshots of your network topology, policy control settings, and user exception settings, thank you.
    Moreover, do you configure the user group as ext-group-user type?


    James
  • DG_1
    DG_1 Posts: 6
    First Comment
    Hello James!

    Network topology:


    Address:


    Address Group:


    User setting (and the result if I test the user):


    User group for whom I want to block access to the specified websites::


    Policy Control settings:


    The user can open the test website, what I want to block:


    In the policy if the User is "Any", it works the blocking for all users. If I set filter for the User (it doesn't matter I set up a user or a user group), it does not work.

    What I do wrong? Does it matter that the user works on a remote desktop?
  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    edited February 2023
    DG_1,
    As I know, Zyxel firewall doesn't support to identify different user's sessions from the same Terminal Server.
    user1 -> RDS IP address
    user2 -> RDS IP address

    It can support users in different workstation. (different IP addresses)
    user1 -> PC1 IP address
    user1 -> PC2 IP address
    user2 -> PC3 IP address

    The user's login is mapping to IP address.
    And the policy matching is by IP address.
  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    Hi @DG_1,
    Sorry, I don't know much about it.


  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Hello @DG_1
    As @zyman2008 mentioned, the security policy is matched by the IP address of the user login.
    For example, once the website-limited user login with the IP 192.168.1.33, the device will block from 192.168.1.33 to the specific websites, and now if there is a website-allowed user login with the same computer, it will get 192.168.1.33 resulting in being blocked as well.
    However, if the website-limited user logs out first and then the website-allowed user logs in after, you will find the website-allowed user is able to access the specific websites because now the IP address 192.168.1.33 is matching to the website-allowed user instead of the website-limited user.

    Moreover,  SSO service phased out by September 2022.

    James
  • DG_1
    DG_1 Posts: 6
    First Comment
    Hello!
    I have to fulfill the management's request. So what solution can you suggest?
    Maybe there is a way to identify the excluded persons in some way, which I can handle on the firewall? I should not block eg. Facebook for management. :)
  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Hello @DG_1
    The scenario is not achievable. The device determines the user by the IP address that the user logon.
    As I mentioned, the website-allowed user won't be blocked if the website-limited user logs out first and then the website-allowed user logs in after, so that the IP address will be matching to the website-allowed user instead of the website-limited user.

    James

Security Highlight