Content Filtering with Active Directory

This document is a guide for deploying a ClearOS Professional Content Filter solution using Microsoft Active Directory1) for authentication and filter group policies. Though you can install ClearOS as a standalone content filter system, this document will go through the steps for deploying a ClearOS system in gateway-mode while connected to an Active Directory server on the local network.

Active Directory is the backbone of Windows-based networks and ClearOS can integrate right into the network:

  • No need to manage different tools to manage users and groups.
  • Single sign-on support for the web proxy and content filter. A user only needs to login to Windows and there is no need to re-login to access the web.
  • Take advantage of authentication with other ClearOS apps: PPTP Server

Big Picture

ClearOS Active Directory Connector - Implementation Guide In this guide, we are going to walk through the following example:

  • An Active Directory server running on
  • A ClearOS gateway with a LAN IP of

When we're done, the Active Directory group Summer Interns with have strict content filtering policies, while the group Operations will have antivirus-only filtering policies. In addition, the default policy will be set to block all traffic except for the company web site -

Preparing the System

The first thing we need to do is make sure we have all the necessary apps installed on our ClearOS Professional system. From the Marketplace, please make sure the following apps are installed:

Once installed, it is time to move on to the first task - connecting ClearOS to an Active Directory server.

Connecting to Active Directory

This step can be a bit tricky. We need to make sure the parameters for connecting to Active Directory are correct. It sounds simple, but this step trips up even the most seasoned system administrator. There's no need to regurgitate the documentation that exists for the Active Directory Connector app, so please go though Active Directory Connector app documentation to complete this step. After the connection is successful, you can continue with this implementation guide.

Users and Groups

With the ClearOS system now connected to Active Directory, you can now start to configure Web Proxy and Content Filter policies. How did the web proxy get involved? Well, the web proxy is a required piece of the content filter process, so in order to use the content filter, the web proxy needs to be running.

In our example, we are going to configure two users:

  • alex in the group Summer Interns
  • billie in the group Operations

Web Proxy

In order for both of these users to have access to the web, they both need to be in a pre-defined group called web_proxy_plugin. This group used by the ClearOS Web Proxy to determine which users have access to the proxy when user authentication is enabled.

When you visit the <navigation>Gateway|Content Filter and Proxy|Web Proxy</navigation> page, you will see the App Policies widget at the bottom of the page. You can click on View Members to see which users are authorized to use the Web Proxy (i.e. in the web_proxy_plugin group). Remember, the User Authentication feature in the web-proxy needs to be enabled for web site access.

Web Proxy Plugin with Active Directory

It can take up to 5 minutes for the users and groups to appear in the ClearOS web-based interface. Please keep in mind, when a user authentication request is made against a ClearOS app, it is always done in real-time (no delay).

Content Filter

Next up is the Content Filter app. We are going to create two new policies to supplement the default policy.

Default Policy

First, we want to configure a strict Default policy. This policy will be in place when a user authenticates against the proxy / content filter, but is not part of group defined in other filter policies.

  • Click on Configure Policy to update the default settings
  • Click on Edit for the General Settings feature
  • Enable the Blanket Block feature

With Blanket Block enabled, all web access is blocked except for domains configured in the Exception list. Go back to the policy configuration page to update this list:

  • Click on Exception Sites for the Exception Sites feature
  • Click on Add
  • Add a web site of your choosing, e.g. - no www prefix required

At this point, all users will be restricted to viewing web site assets.

Additional Filter Polices

Now you can go through a similar process of configuring two new policies for your organization. From the main Content Filter app configuration screen:

  • Click on Add in the App Policies widget
  • Type in interns and select the group interns
New policies are created with the settings from the default policy. If you have a restrictive default policy (recommended) then new policies must undo any of the unwanted restrictions.

Next, we are going to restrict access to and other non-work related web sites for our interns:

  • Click on Configure Policy for the interns policy
  • Click on Edit for the General Settings feature
  • Set the Dynamic Scan Sensitivity to Very Aggressive
  • Disable the Blanket Block feature

If you have the Content Filter Updates app installed:

  • Click on Edit for Blacklists
  • Select the blacklists appropriate for the summer interns

And finally, one last change to the interns content filter policy:

  • Click on Edit for Banned Sites
  • Click on Add
  • Add to the banned site list

That is all that we need done for our example interns policy. Go through the same steps for the operations policy, but you can tune the filter differently this time around.

Marks belong to their respective owners.
content/en_us/kb_bestpractices_content_filtering_with_active_directory.txt · Last modified: 2020/05/07 13:12 (external edit)