Topic: Access Control

[msk]

Hello

Dear friends

This Mobassir Sattar and I ma almost new in SME Server and last month downloaded new 73. Version of SME Server and using as gateway server.

At this time built-in pre configured Squid server is working very good but the problem I have is every one has full access of every thing, but I want internet access a following:

1-   Executives & Manager Should have full access and all the time
2-   Some user only should be allowed only specific web site
3-   Most of the user required to block browsing and downloading but antivirus software required to download there updates from site.
4-   Some use should be configured that they can brows but restricted to download anything.

Please guide me how I can implement these security if there is any remotely accessible tool so I can configure SME server from windows base computer.

IF any expert user makes these commands which I can just entered in squird.conf using any IP range which I will change as per my network

I hope any one guide me with his expertise.


Waiting for positive reply 

[mercyh]

Basic server administration is explained here:
http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter8


Most of us use this to do any command line work remotely:
http://www.chiark.greenend.org.uk/~sgtatham/putty/


I don't know if this will help with your web filtering needs or not:
http://wiki.contribs.org/Dansguardian
http://wiki.contribs.org/Dansguardian/ConfigFiles

[msk]

Hello

Thanks very much for your reply with good link, i will check them and will try to get help.

Regards
Mobassir Sattar Khan

[msk]

Hello

Please tell what help and article available on net for Squid configuration running on Redhat or any other platform, will it also work on SME.
For example following article describe that how to configure ACL so i use same commands in SME Squid.conf will it work?

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch32_:_Controlling_Web_Access_with_Squid

Regards
Mobassir Sattar Khan

[Stefano]

yes.. it will work but:
- don't edit squid.conf directly because it's templatized
- read the documentation about sme templates

HTH
Stefano

[msk]

Hello

Thanks very much for your reply, OK i will check documents. At this time  can anyone please give me some guide line that how to block downloading and access of adult sites, which is disturbing network. 
waiting for reply.

Please guide me that how to disable any specific service/server running on SME server, for example if i want to disable built inn email server of SME server because i am suing Lotus Notes as my email server.

I am struggling to configure SME to allow notes server to send and receive email behind SME becuase at this time Note server behind SME can send email to outer world but SME blocks all incoming emails for that i also confiogured port forwarding of 1352 notes. If any one know please guide me.


Best regards
Mobassir Sattar Khan

[Stefano]

At this time  can anyone please give me some guide line that how to block downloading and access of adult sites, which is disturbing network. 
waiting for reply.

you can try squidguard http://wiki.contribs.org/SquidGuard or dansguardian http://wiki.contribs.org/Dansguardian

Please guide me that how to disable any specific service/server running on SME server, for example if i want to disable built inn email server of SME server because i am suing Lotus Notes as my email server.

I am struggling to configure SME to allow notes server to send and receive email behind SME becuase at this time Note server behind SME can send email to outer world but SME blocks all incoming emails for that i also confiogured port forwarding of 1352 notes. If any one know please guide me.

I think you'll find something searching for "lotus notes" here in the forums.

HTH

ciao
Stefano

[msk]

Hello

Thanks very much for your response.

Yesterday i just implemented Danguardian on my 73. SME server with the help of guide you recommend me thanks.

I have following questions if any one can help and guide:

1-    At the time security based on IP  but can i also add mac address with iP.
2-    on blocked machine how can i allow updates of AVG antivirus.
3-    where to add specific sites for specified userds that they can only visit these sites.
4-    Is there any option that i can allow couple of sites such as hotmail.com etc for specific users or all users in specified time.

best regards
Mobassir Sattar

[Stefano]

hi

I think these are not sme's related questions.. you should read dansguardian documentation at www.dansguardian.org

HTH
ciao
Stefano

[janet]

mobassir

Did you really read all of the wiki articles fully ?

The places to allow sites are in one of the config files
eg
http://wiki.contribs.org/Dansguardian/ConfigFiles#exceptionsitelist

http://wiki.contribs.org/Dansguardian
http://wiki.contribs.org/Dansguardian/ConfigFiles

[msk]

Hello

Thanks for the reply with link, yes I am already getting help from same documentation and I hope as I deploy this system with help of these documents after some time all other question will resolve but I mean to ask if any one already know then plz reply.

Most of the configuration has been done and working fine such as:
1- Complete blocking of downloading
2- Adult sites blocking
3- Managers machines and servers  are now unfiltered
Etc

The major problem what I am facing is about is configurations of complete allow of company's secure website to all users if any one know about this is please guide.
Behind SME user are unable to open sub links of main site even I entered domain name of that web site in exceptionsitelist but problem not resolve, some user after entering their user and password and confirm massage from site of successful login they receive page not found error.

But when same user work directly behind router bypassing SME Server its works fine.

is their any option so we can allow all sites start with https.

Regards
Mobassir Sattar Khan

[msk]

Wiating for reply from any expert.

[janet]

mobassir

dansguardian only controls http traffic (port 80)

https is on port 443

I suggest disabling dansguardian temporarily and then see what happens re your https traffic, you may be blocking https login control signals that are sent on port 80

[msk]

Hello

With your good suggestion i am now toking with Dansgurdian which is giving very good results.

I was facing problem with instability from DSL service so for that i subscribe an other DSL service for backup and redundancy as i have experienced with linksys  RV Series routers. RV series router has dual internet/WAN port and we can configure 2 DSL lines in one router for load balancing and redundancy.

But here i don't have any Router with Dual internet port, i guess that if i install another lan card in my SME 7.3   to configure it as 2nd external Lan card, is it possible.

This SME server working and Gateway with 2 LAN cards, one internal for my local LAN and 2nd one external connected with DSL modem.

So any suggestion can i configure SME for load balancing and redundancy for internet connectivity.

Regards
Mobassir Sattar Khan