ASA Basic URL Filtering based on Active Directory Group?
I have a client who is looking to upgrade their current firewall / proxy. The customer currently only uses the proxy to filter who is allowed access to the internet. I am looking to solve this problem on a single device (ASA). In particular they have an ASA 5510 but would be looking to upgrade it. They currently classify users as "no internet", "selected sites", "internet", and "full access" in AD (Win Srv 2012). "No Internet" users are blocked to all sites except a few sites like UPS and their time clock SaaS provider. "Selected Sites" are allowed to a list of sites that the IT manager updates. "Internet" and "Full Access" are now similar in that they are allowed to all sites. (Use to have URL category filtering but don't subscribe anymore.)
I am looking to have the firewall check AD to see what group the user is in and then apply a rule (access list, etc) based on the group.
Ideally, I would like to make this as simple to manage as possible (current proxy has web interface to add sites to allow) but don't want to spend a ton on modules and software just to get 1 feature.
Unfortunately, as I understand it, this solution allows an IP based on username. Since they use remote desktop services and most users would end up having the same IP (of the Terminal Server Host), it would allow everyone on the TS, not just the individual user.
You're correct - Identity Firewall features don't work in the use case of multiple TS users coming from the same address. There is an unresolved enhancement request filed for this issue.
Even if you had a 5500-X series with WSE and AVC NGFW services on the CX module and use identity-based policies there, you still have the constraint that the CX maps authenticated users to IP addresses to record that a given source has been authenticated. Reference.
A non-Cisco solution is available for this use case using Palo Alto Networks' User-ID Terminal Services agent in conjunction with their firewall. Reference.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...