SmartFilter for Cisco Content Engine User's Guide, Version 3.1 - Chapter 8: Applying SmartFilter Policies [Cisco Application and Content Networking System (ACNS) Software]

Table Of Contents

Applying SmartFilter Software Policies

Configuring User Groups

Adding a User Group

Deleting a User Group

Finding a User Group in the Table

Configuring User Directories

Creating Users

Creating Users One at a Time

Finding a User

Deleting a User

Importing Users or Groups from a Text File

Creating IP Address Groups

Adding an IP Address Range

Finding an IP Address Range

Deleting an IP Address Range

Debugging Policies Using the View and Assign User(s) Window

Removing a User from a Group

Deleting a User from SmartFilter Software

Assigning a User to More Than One Group

Configuring URL Logging Options

Applying SmartFilter Software Policies

This chapter provides information about applying SmartFilter software policies and configuring log options. It contains the following topics:

•Configuring User Groups

•Configuring User Directories

•Creating Users

•Creating IP Address Groups

•Debugging Policies Using the View and Assign User(s) Window

•Configuring URL Logging Options

Configuring User Groups

Policies are applied to groups. The User Group window contains information about the policies applied to a particular group of users. Use the User Group window, shown in Figure 8-1, if you are performing these tasks:

•Adding a User Group

•Deleting a User Group

•Finding a User Group in the Table

Figure 8-1 User Group Window

Adding a User Group

To add a user group, follow these steps:

Step 1 Click Add.

The cursor appears in the Name field.

Note If you use the toolbar button to access the User Group window, the cursor appears in the Name field.

Step 2 Enter the name of the user group.

Step 3 Choose the policy that you want to attach to the group.

Step 4 Click OK.

The user group that you entered appears in the table at the bottom of the window.

Deleting a User Group

To delete a user group, follow these steps:

Step 1 Choose the user group that you want to delete.

Step 2 Click Delete.

•If you chose only one user group, the account is removed from the table. No warning message appears.

•If you chose more than one user group, a message appears, asking if you are sure you want to delete the rows. Click Yes to delete the rows. Click No to return to the table.

Finding a User Group in the Table

To find a user group in the table, follow these steps:

Step 1 Click Find.

The cursor moves to the Name field.

Step 2 Enter the name of the user group.

Step 3 Click OK. One of the following occurs:

•A message appears, telling you that no row is found.

•The table displays only rows that match the search criteria you entered.

Step 4 Click Cancel to display the entire list of user groups.

Configuring User Directories

The SmartFilter software integration with the Cisco Content Engine supports dynamic querying of user group information from one or more user directories including generic LDAP servers (Netscape or iPlanet), Active Directory, and the internal SmartFilter software user database.

These supported directories can be configured and the order in which they are queried can be arranged within the Administration Console. When a username is encountered, SmartFilter software queries each directory one at a time until the username is found and at least one group name can be determined. When one or more group names are found, none of the remaining directories are queried.

After the group names are retrieved, they are used to determine the policies that should be applied to the user. If after all directories are queried and one or more group names are not found, the default policy is used.

The mapping of group names to policies must be manually entered into the SmartFilter Administration Console. There is no support for importing group names from the user directories. To properly implement the SmartFilter software policy, these manually entered group names must exactly match those being used and assigned to users within the user directories.

The SmartFilter Administration Console only manages the internal SmartFilter software user database as currently implemented in Release 3.1.2. The SmartFilter Administration Console does not import, display, or modify any user or group information from LDAP or Active Directory.

The purpose of the User Directories window, shown in Figure 8-2, is to inform the SmartFilter software which directories to use and in what order. If you wish to use an LDAP or Active Directory server, you must first create a directory definition under the Enterprise Settings. See the "Defining Directory Resources Information" section.

The server you defined then appears in the list box on the right.

Figure 8-2 User Directories Window

To select user directories, follow these steps:

Step 1 Choose the directories that you want to use from the list box on the right side of the window.

Step 2 Click Add <.

The directories that you selected appear in the list box on the left side of the window.

Step 3 Use the Higher and Lower buttons to arrange the directories into the order in which you want them searched.

Once SmartFilter software has looked up the groups a user belongs to, it stores this information in a user cache. The two fields, Number of Users and Time Out (Minutes), are used to configure how many users should be stored in this cache and how long this information is valid.

Step 4 Change the value in the Number of Users field, if necessary.

Step 5 Change the value in the Time Out (Minutes) field, if necessary.

Step 6 Click OK.

Creating Users

Before you can apply a SmartFilter software policy to a group, all three elements (users, groups, and policies) must exist in SmartFilter software. The following sections explain how to create users and groups.

Creating Users One at a Time

The Internal User window, shown in Figure 8-3, contains information about the users and groups to which they belong. This is the window that you use to add user names one at a time.

Figure 8-3 Internal User Window

To add users to SmartFilter software one at a time, follow these steps:

Step 1 Click Add.

The cursor appears in the Name field.

Step 2 Enter the name of the user and click OK.

The username you entered appears in the Name column of the table.

Finding a User

To find a particular user in the Internal User window, follow these steps:

Step 1 Click Find.

Step 2 Click in the Name field and enter the name of the user that you want to find.

Step 3 Click OK. One of the following occurs.

•A message appears, telling you that no row is found.

•The table displays only rows that match the usernames you entered.

Step 4 Click OK to display the entire list of internal users.

Deleting a User

To delete a user from the Internal User window, follow these steps:

Step 1 Choose the user that you want to delete.

Note If you choose only one user to be deleted, you do not receive a warning message. If you select more than one user, a warning message appears, asking if you are sure you want to delete the rows.

Step 2 Click Delete.

The user is removed from the table.

Importing Users or Groups from a Text File

This technique allows user and group definitions to be imported from a text file. A browse feature is provided. To import a file of users and groups from the SmartFilter Administration Console, follow these steps:

Step 1 From the Internal User window, shown in Figure 8-3, choose File > Import Users From Text File.

Step 2 Enter the full name of the text file using one of the following options:

•Enter the full name in the Enter file name field, and click OK.

•Browse through the directories until you find the file. The text file should use the following format:
username group
Step 3 Click Import.

The Import Users from Text File window appears.

Figure 8-4 Import Users From Text File Window

Step 4 Review the information in the window and click OK.

Step 5 Navigate to the Internal User window in the User, Group, and Policy folder. You should see the users you imported.

Note If this window was already opened, close it and reopen it.

Step 6 Click Deploy to save your changes before exiting.

Creating IP Address Groups

The IP Address Range window, shown in Figure 8-5, allows you to define an IP address as a user. Like other users, IP address ranges can be added to groups and can have policies applied to them.

Note Usernames take precedence over IP addresses.

Figure 8-5 IP Address Range Window

Use the IP Address Range window for these tasks:

•Adding an IP Address Range

•Finding an IP Address Range

•Deleting an IP Address Range

Adding an IP Address Range

To add an IP address range, follow these steps:

Step 1 Click Add.

Step 2 Enter the beginning IP address and the ending IP address in the appropriate fields.

Step 3 Click OK.

The addresses that you entered appear in the IP Range column of the table.

Finding an IP Address Range

To find a particular IP address range in the IP Address Range window, follow these steps:

Step 1 Click Find.

Step 2 Click in the Begin field and enter the IP address that you want to find.

Step 3 Click OK. One of the following occurs.

•A message appears, telling you that no row is found.

•The table displays only rows that match the search criteria you entered.

Step 4 Click Cancel to display the entire list of IP address ranges.

Deleting an IP Address Range

To delete an IP address range from the table, follow these steps:

Step 1 Choose the IP address range that you want to delete.

Note If you choose only one IP address range to be deleted, you do not receive a warning message. If you choose more than one IP address range, a warning message appears asking if you are sure you want to delete the rows.

Step 2 Click Delete.

The IP address range is removed from the table.

Debugging Policies Using the View and Assign User(s) Window

The View and Assign User(s) window, shown in Figure 8-6, allows you to simultaneously view all groups that have been assigned a given policy and the individual internal users that are members of those groups. You can also reassign users from one group to another using this window to fine-tune the application of policy to users.

Figure 8-6 View and Assign User(s) Window

To view groups assigned to a policy, choose a policy using the Policy drop-down list. All groups having the selected policy are listed in the area directly below the drop-down list. In the area to the right, all users who are members of the displayed groups are presented. These users, by virtue of their inclusion in the listed groups, also have the selected policy applied to them. Choosing a group name causes only the members of that group to be displayed in the users area. Clicking Assign To Group or Remove From Group in conjunction with the Group Assigned drop-down list makes it possible to move these users to a different group or to reassign them to another group with the desired policy. These moves can be accomplished either singly or in combination.

Ungrouped users are automatically assigned to a group in this window called Anonymous_Group, which is the default group. All users in this default group have the default SmartFilter software policy applied to them.

Use the View and Assign User(s) window for these tasks:

•Removing a User from a Group

•Deleting a User from SmartFilter Software

•Assigning a User to More Than One Group

Removing a User from a Group

To remove a user from a group, follow these steps:

Step 1 Click the desired group in the area below the Policy drop-down list.

Step 2 Choose the user that you want to remove from the group.

Step 3 Click Remove From Group. A warning message appears, asking if you are sure you want to delete the user from the group.

•Click Yes to delete the user from the group.

•Click No to leave the user in the group.

Deleting a User from SmartFilter Software

To delete a user from the SmartFilter Administration Server internal user directory, follow these steps:

Step 1 Click the desired group in the area below the Policy drop-down list.

Step 2 Choose the user that you want to remove.

Step 3 Click Delete User(s). A warning message appears, asking if you are sure you want to delete the user.

•Click Yes to delete the user from the SmartFilter software.

•Click No to leave the user in the SmartFilter software.

Assigning a User to More Than One Group

To assign a user to more than one group, follow these steps:

Step 1 Click the desired group in the area below the Policy drop-down list.

Step 2 Choose the users that you want to assign to another group.

Step 3 Choose the target group using the Group Assigned drop-down list.

Step 4 Click Assign To Group.

Configuring URL Logging Options

SmartFilter software allows you to monitor restricted or all categorized URLs. The Log Option window, shown in Figure 8-7, allows you to set one of three options to configure the SmartFilter software proxy-generated log files.

•None—Does not log any category information with the URL

•Restricted—Logs only those categories that restrict a URL

•All Categorized—Logs every category for a URL

Figure 8-7 Log Option Window

By default, SmartFilter plug-ins running on a UNIX operating system log each URL, regardless of the restrictions assigned to it.

	SmartFilter for Cisco Content Engine User's Guide, Version 3.1
	Chapter 8: Applying SmartFilter Policies
SmartFilter for Cisco Content Engine User's Guide, Version 3.1 Index Title Page Preface Chapter 1: SmartFilter Software Overview Chapter 2:Understanding the SmartFilter Control List Chapter 3: Installing the SmartFilter Administration Software Chapter 4: Launching the Administration Console for the First Time Chapter 5: Configuring Enterprise Settings Chapter 6: Configuring the SmartFilter Control List Chapter 7: Creating SmartFilter Policies Chapter 8: Applying SmartFilter Policies	Download this chapter Chapter 8: Applying SmartFilter Policies Download the complete book SmartFilter for Cisco Content Engine User's Guide (PDF - 2 MB) Table Of Contents Applying SmartFilter Software Policies Configuring User Groups Adding a User Group Deleting a User Group Finding a User Group in the Table Configuring User Directories Creating Users Creating Users One at a Time Finding a User Deleting a User Importing Users or Groups from a Text File Creating IP Address Groups Adding an IP Address Range Finding an IP Address Range Deleting an IP Address Range Debugging Policies Using the View and Assign User(s) Window Removing a User from a Group Deleting a User from SmartFilter Software Assigning a User to More Than One Group Configuring URL Logging Options Applying SmartFilter Software Policies This chapter provides information about applying SmartFilter software policies and configuring log options. It contains the following topics: •Configuring User Groups •Configuring User Directories •Creating Users •Creating IP Address Groups •Debugging Policies Using the View and Assign User(s) Window •Configuring URL Logging Options Configuring User Groups Policies are applied to groups. The User Group window contains information about the policies applied to a particular group of users. Use the User Group window, shown in Figure 8-1, if you are performing these tasks: •Adding a User Group •Deleting a User Group •Finding a User Group in the Table Figure 8-1 User Group Window Adding a User Group To add a user group, follow these steps: Step 1 Click Add. The cursor appears in the Name field. Note If you use the toolbar button to access the User Group window, the cursor appears in the Name field. Step 2 Enter the name of the user group. Step 3 Choose the policy that you want to attach to the group. Step 4 Click OK. The user group that you entered appears in the table at the bottom of the window. Deleting a User Group To delete a user group, follow these steps: Step 1 Choose the user group that you want to delete. Step 2 Click Delete. •If you chose only one user group, the account is removed from the table. No warning message appears. •If you chose more than one user group, a message appears, asking if you are sure you want to delete the rows. Click Yes to delete the rows. Click No to return to the table. Finding a User Group in the Table To find a user group in the table, follow these steps: Step 1 Click Find. The cursor moves to the Name field. Step 2 Enter the name of the user group. Step 3 Click OK. One of the following occurs: •A message appears, telling you that no row is found. •The table displays only rows that match the search criteria you entered. Step 4 Click Cancel to display the entire list of user groups. Configuring User Directories The SmartFilter software integration with the Cisco Content Engine supports dynamic querying of user group information from one or more user directories including generic LDAP servers (Netscape or iPlanet), Active Directory, and the internal SmartFilter software user database. These supported directories can be configured and the order in which they are queried can be arranged within the Administration Console. When a username is encountered, SmartFilter software queries each directory one at a time until the username is found and at least one group name can be determined. When one or more group names are found, none of the remaining directories are queried. After the group names are retrieved, they are used to determine the policies that should be applied to the user. If after all directories are queried and one or more group names are not found, the default policy is used. The mapping of group names to policies must be manually entered into the SmartFilter Administration Console. There is no support for importing group names from the user directories. To properly implement the SmartFilter software policy, these manually entered group names must exactly match those being used and assigned to users within the user directories. The SmartFilter Administration Console only manages the internal SmartFilter software user database as currently implemented in Release 3.1.2. The SmartFilter Administration Console does not import, display, or modify any user or group information from LDAP or Active Directory. The purpose of the User Directories window, shown in Figure 8-2, is to inform the SmartFilter software which directories to use and in what order. If you wish to use an LDAP or Active Directory server, you must first create a directory definition under the Enterprise Settings. See the "Defining Directory Resources Information" section. The server you defined then appears in the list box on the right. Figure 8-2 User Directories Window To select user directories, follow these steps: Step 1 Choose the directories that you want to use from the list box on the right side of the window. Step 2 Click Add <. The directories that you selected appear in the list box on the left side of the window. Step 3 Use the Higher and Lower buttons to arrange the directories into the order in which you want them searched. Once SmartFilter software has looked up the groups a user belongs to, it stores this information in a user cache. The two fields, Number of Users and Time Out (Minutes), are used to configure how many users should be stored in this cache and how long this information is valid. Step 4 Change the value in the Number of Users field, if necessary. Step 5 Change the value in the Time Out (Minutes) field, if necessary. Step 6 Click OK. Creating Users Before you can apply a SmartFilter software policy to a group, all three elements (users, groups, and policies) must exist in SmartFilter software. The following sections explain how to create users and groups. Creating Users One at a Time The Internal User window, shown in Figure 8-3, contains information about the users and groups to which they belong. This is the window that you use to add user names one at a time. Figure 8-3 Internal User Window To add users to SmartFilter software one at a time, follow these steps: Step 1 Click Add. The cursor appears in the Name field. Step 2 Enter the name of the user and click OK. The username you entered appears in the Name column of the table. Finding a User To find a particular user in the Internal User window, follow these steps: Step 1 Click Find. Step 2 Click in the Name field and enter the name of the user that you want to find. Step 3 Click OK. One of the following occurs. •A message appears, telling you that no row is found. •The table displays only rows that match the usernames you entered. Step 4 Click OK to display the entire list of internal users. Deleting a User To delete a user from the Internal User window, follow these steps: Step 1 Choose the user that you want to delete. Note If you choose only one user to be deleted, you do not receive a warning message. If you select more than one user, a warning message appears, asking if you are sure you want to delete the rows. Step 2 Click Delete. The user is removed from the table. Importing Users or Groups from a Text File This technique allows user and group definitions to be imported from a text file. A browse feature is provided. To import a file of users and groups from the SmartFilter Administration Console, follow these steps: Step 1 From the Internal User window, shown in Figure 8-3, choose File > Import Users From Text File. Step 2 Enter the full name of the text file using one of the following options: •Enter the full name in the Enter file name field, and click OK. •Browse through the directories until you find the file. The text file should use the following format: username group Step 3 Click Import. The Import Users from Text File window appears. Figure 8-4 Import Users From Text File Window Step 4 Review the information in the window and click OK. Step 5 Navigate to the Internal User window in the User, Group, and Policy folder. You should see the users you imported. Note If this window was already opened, close it and reopen it. Step 6 Click Deploy to save your changes before exiting. Creating IP Address Groups The IP Address Range window, shown in Figure 8-5, allows you to define an IP address as a user. Like other users, IP address ranges can be added to groups and can have policies applied to them. Note Usernames take precedence over IP addresses. Figure 8-5 IP Address Range Window Use the IP Address Range window for these tasks: •Adding an IP Address Range •Finding an IP Address Range •Deleting an IP Address Range Adding an IP Address Range To add an IP address range, follow these steps: Step 1 Click Add. Step 2 Enter the beginning IP address and the ending IP address in the appropriate fields. Step 3 Click OK. The addresses that you entered appear in the IP Range column of the table. Finding an IP Address Range To find a particular IP address range in the IP Address Range window, follow these steps: Step 1 Click Find. Step 2 Click in the Begin field and enter the IP address that you want to find. Step 3 Click OK. One of the following occurs. •A message appears, telling you that no row is found. •The table displays only rows that match the search criteria you entered. Step 4 Click Cancel to display the entire list of IP address ranges. Deleting an IP Address Range To delete an IP address range from the table, follow these steps: Step 1 Choose the IP address range that you want to delete. Note If you choose only one IP address range to be deleted, you do not receive a warning message. If you choose more than one IP address range, a warning message appears asking if you are sure you want to delete the rows. Step 2 Click Delete. The IP address range is removed from the table. Debugging Policies Using the View and Assign User(s) Window The View and Assign User(s) window, shown in Figure 8-6, allows you to simultaneously view all groups that have been assigned a given policy and the individual internal users that are members of those groups. You can also reassign users from one group to another using this window to fine-tune the application of policy to users. Figure 8-6 View and Assign User(s) Window To view groups assigned to a policy, choose a policy using the Policy drop-down list. All groups having the selected policy are listed in the area directly below the drop-down list. In the area to the right, all users who are members of the displayed groups are presented. These users, by virtue of their inclusion in the listed groups, also have the selected policy applied to them. Choosing a group name causes only the members of that group to be displayed in the users area. Clicking Assign To Group or Remove From Group in conjunction with the Group Assigned drop-down list makes it possible to move these users to a different group or to reassign them to another group with the desired policy. These moves can be accomplished either singly or in combination. Ungrouped users are automatically assigned to a group in this window called Anonymous_Group, which is the default group. All users in this default group have the default SmartFilter software policy applied to them. Use the View and Assign User(s) window for these tasks: •Removing a User from a Group •Deleting a User from SmartFilter Software •Assigning a User to More Than One Group Removing a User from a Group To remove a user from a group, follow these steps: Step 1 Click the desired group in the area below the Policy drop-down list. Step 2 Choose the user that you want to remove from the group. Step 3 Click Remove From Group. A warning message appears, asking if you are sure you want to delete the user from the group. •Click Yes to delete the user from the group. •Click No to leave the user in the group. Deleting a User from SmartFilter Software To delete a user from the SmartFilter Administration Server internal user directory, follow these steps: Step 1 Click the desired group in the area below the Policy drop-down list. Step 2 Choose the user that you want to remove. Step 3 Click Delete User(s). A warning message appears, asking if you are sure you want to delete the user. •Click Yes to delete the user from the SmartFilter software. •Click No to leave the user in the SmartFilter software. Assigning a User to More Than One Group To assign a user to more than one group, follow these steps: Step 1 Click the desired group in the area below the Policy drop-down list. Step 2 Choose the users that you want to assign to another group. Step 3 Choose the target group using the Group Assigned drop-down list. Step 4 Click Assign To Group. Configuring URL Logging Options SmartFilter software allows you to monitor restricted or all categorized URLs. The Log Option window, shown in Figure 8-7, allows you to set one of three options to configure the SmartFilter software proxy-generated log files. •None—Does not log any category information with the URL •Restricted—Logs only those categories that restrict a URL •All Categorized—Logs every category for a URL Figure 8-7 Log Option Window By default, SmartFilter plug-ins running on a UNIX operating system log each URL, regardless of the restrictions assigned to it.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.