This document is a guide for deploying a ClearOS Professional Content Filter solution using Microsoft Active Directory1) for authentication and filter group policies. Though you can install ClearOS as a standalone content filter system, this document will go through the steps for deploying a ClearOS system in gateway-mode while connected to an Active Directory server on the local network.
Active Directory is the backbone of Windows-based networks and ClearOS can integrate right into the network:
When we're done, the Active Directory group Summer Interns with have strict content filtering policies, while the group Operations will have antivirus-only filtering policies. In addition, the default policy will be set to block all traffic except for the company web site - www.example.com.
The first thing we need to do is make sure we have all the necessary apps installed on our ClearOS Professional system. From the Marketplace, please make sure the following apps are installed:
Once installed, it is time to move on to the first task - connecting ClearOS to an Active Directory server.
This step can be a bit tricky. We need to make sure the parameters for connecting to Active Directory are correct. It sounds simple, but this step trips up even the most seasoned system administrator. There's no need to regurgitate the documentation that exists for the Active Directory Connector app, so please go though Active Directory Connector app documentation to complete this step. After the connection is successful, you can continue with this implementation guide.
With the ClearOS system now connected to Active Directory, you can now start to configure Web Proxy and Content Filter policies. How did the web proxy get involved? Well, the web proxy is a required piece of the content filter process, so in order to use the content filter, the web proxy needs to be running.
In our example, we are going to configure two users:
In order for both of these users to have access to the web, they both need to be in a pre-defined group called web_proxy_plugin. This group used by the ClearOS Web Proxy to determine which users have access to the proxy when user authentication is enabled.
When you visit the <navigation>Gateway|Content Filter and Proxy|Web Proxy</navigation> page, you will see the App Policies widget at the bottom of the page. You can click on View Members to see which users are authorized to use the Web Proxy (i.e. in the web_proxy_plugin group). Remember, the User Authentication feature in the web-proxy needs to be enabled for web site access.
<note warning>It can take up to 5 minutes for the users and groups to appear in the ClearOS web-based interface. Please keep in mind, when a user authentication request is made against a ClearOS app, it is always done in real-time (no delay).</note>
Next up is the Content Filter app. We are going to create two new policies to supplement the default policy.
First, we want to configure a strict Default policy. This policy will be in place when a user authenticates against the proxy / content filter, but is not part of group defined in other filter policies.
With Blanket Block enabled, all web access is blocked except for domains configured in the Exception list. Go back to the policy configuration page to update this list:
At this point, all users will be restricted to viewing example.com web site assets.
Now you can go through a similar process of configuring two new policies for your organization. From the main Content Filter app configuration screen:
<note warning>New policies are created with the settings from the default policy. If you have a restrictive default policy (recommended) then new policies must undo any of the unwanted restrictions.</note>
Next, we are going to restrict access to facebook.com and other non-work related web sites for our interns:
If you have the Content Filter Updates app installed:
And finally, one last change to the interns content filter policy:
That is all that we need done for our example interns policy. Go through the same steps for the operations policy, but you can tune the filter differently this time around.