This document is a guide for deploying a ClearOS Professional Content Filter solution using Microsoft Active Directory1) for authentication and filter group policies. Though you can install ClearOS as a standalone content filter system, this document will go through the steps for deploying a ClearOS system in gateway-mode while connected to an Active Directory server on the local network.
Active Directory is the backbone of Windows-based networks and ClearOS can integrate right into the network:
No need to manage different tools to manage users and groups.
Single sign-on support for the web proxy and content filter. A user only needs to login to Windows and there is no need to re-login to access the web.
Take advantage of authentication with other ClearOS apps: PPTP Server
In this guide, we are going to walk through the following example:
An Active Directory server running on 192.168.55.55
A ClearOS gateway with a LAN IP of 192.168.55.1
When we're done, the Active Directory group Summer Interns with have strict content filtering policies, while the group Operations will have antivirus-only filtering policies. In addition, the default policy will be set to block all traffic except for the company web site - www.example.com.
Preparing the System
The first thing we need to do is make sure we have all the necessary apps installed on our ClearOS Professional system. From the Marketplace, please make sure the following apps are installed:
Once installed, it is time to move on to the first task - connecting ClearOS to an Active Directory server.
Connecting to Active Directory
This step can be a bit tricky. We need to make sure the parameters for connecting to Active Directory are correct. It sounds simple, but this step trips up even the most seasoned system administrator. There's no need to regurgitate the documentation that exists for the Active Directory Connector app, so please go though Active Directory Connector app documentation to complete this step. After the connection is successful, you can continue with this implementation guide.
Users and Groups
With the ClearOS system now connected to Active Directory, you can now start to configure Web Proxy and Content Filter policies. How did the web proxy get involved? Well, the web proxy is a required piece of the content filter process, so in order to use the content filter, the web proxy needs to be running.
In our example, we are going to configure two users:
alex in the group Summer Interns
billie in the group Operations
In order for both of these users to have access to the web, they both need to be in a pre-defined group called web_proxy_plugin. This group used by the ClearOS Web Proxy to determine which users have access to the proxy when user authentication is enabled.
When you visit the Gateway|Content Filter and Proxy|Web Proxy page, you will see the App Policies widget at the bottom of the page. You can click on View Members to see which users are authorized to use the Web Proxy (i.e. in the web_proxy_plugin group). Remember, the User Authentication feature in the web-proxy needs to be enabled for web site access.
It can take up to 5 minutes for the users and groups to appear in the ClearOS web-based interface. Please keep in mind, when a user authentication request is made against a ClearOS app, it is always done in real-time (no delay).
Next up is the Content Filter app. We are going to create two new policies to supplement the default policy.
First, we want to configure a strict Default policy. This policy will be in place when a user authenticates against the proxy / content filter, but is not part of group defined in other filter policies.
Click on to update the default settings
Click on for the General Settings feature
Enable the Blanket Block feature
With Blanket Block enabled, all web access is blocked except for domains configured in the Exception list. Go back to the policy configuration page to update this list:
Click on for the Exception Sites feature
Add a web site of your choosing, e.g. example.com - no www prefix required
At this point, all users will be restricted to viewing example.com web site assets.
Additional Filter Polices
Now you can go through a similar process of configuring two new policies for your organization. From the main Content Filter app configuration screen:
Click on in the App Policies widget
Type in interns and select the group interns
New policies are created with the settings from the default policy. If you have a restrictive default policy (recommended) then new policies must undo any of the unwanted restrictions.
Next, we are going to restrict access to facebook.com and other non-work related web sites for our interns:
Click on for the interns policy
Click on for the General Settings feature
Set the Dynamic Scan Sensitivity to Very Aggressive