This article applies to:
Symptoms:
- User browsing restricted
- Error messages:
- User Is Not Authenticated
- The user name ... is not known to WebMarshal
- The current user account is not recognized by WebMarshal
- The web site was restricted by the rule "Standard Rules\Block - Undefined WebMarshal User"
Information:
These messages are returned in these cases:
- The account information for the user who is browsing has not been imported into WebMarshal (from AD, NT, or NDS)
- WebMarshal is using IP based (workstation) authentication, and the user is browsing from a workstation that is not within any configured IP group range
- The account or IP is configured as a user, but it is not a member of any group that controls access
See below for more information about these cases.
1. User is Not Authenticated - The user name is not known to WebMarshal
This condition can occur when you use account based authentication (AD, NT, or NDS).
When using Windows or NDS authentication, create the appropriate connector and make sure that you import a global user group, or combination of user groups, containing all users that will browse through WebMarshal.
- To check if the particular user is "known" to WebMarshal,
open the web browser on the user's computer, confirm the proxy settings
point to the WebMarshal server and browse to http://webmarshal.home
- If you find that imported AD groups are not updating properly with new or changed members, see Trustwave Knowledge Base article Q12052.
- After importing new groups, be sure to grant access to the groups or members (see #3 below)
2. User is Not Authenticated: The current user account is not recognized by WebMarshal
When using IP (workstation) based authentication, make sure that you create IP ranges to cover all workstations that will browse through WebMarshal. For more information about configuring IP based authentication, see Trustwave Knowledge Base article Q14512.
3. The web site was restricted by the rule "Standard Rules\Block - Undefined WebMarshal User"
This condition can occur when you set up WebMarshal with the default policy.
WebMarshal rules are applied to user groups. The default policy (created with new installations) includes four main user groups. If a user is not a member of any of these groups, they will be denied all access by a catch-all rule found at the beginning of the Standard Rules listing (see the notes below for the definition of this rule).
The quickest way to give browsing permission to users is to add all users, or imported user groups, to one of the default WebMarshal user groups.
- In the WebMarshal Console, expand Policy Elements > User Groups.
- To quickly set permissions for many users, drag an imported group into a default WebMarshal group such as Standard Users.
- You can also select an imported group to view its members, and then drag individual members into a default WebMarshal group.
- Remember to commit configuration after making changes.
You can also create additional WebMarshal groups and use these in rules.
You can create or edit rules to suit your requirements.
Best practice for efficient management of policy is NOT to use imported groups directly in rules. Instead:
- Use the existing WebMarshal groups, or create new WebMarshal groups defined by function (like the default groups).
- Add the required imported groups (AD, NTLM, NDS, or IP groups), or individual members, to the WebMarshal groups. You can add any number and combination of these groups and users to a WebMarshal group.
- Use only WebMarshal groups when creating or editing rules.
Notes:
The default catch-all block rule appears as follows:
Block - Undefined WebMarshal User
Block access for all users that don't belong to the default WebMarshal groups. USAGE: New users or groups imported into WebMarshal should be added to a suitable default WebMarshal Group. If no suitable default rule exists, then new groups should be created, and new rules should be written for these users. Add new user groups to the user exclusion list in this rule as required. NOTE: The "Exclude From Reporting" default group is not included in this rule because it does not control access to sites.
When a web request is received
For any users
Except where the user is a member of Power Users, Restricted Users, Standard Users, Unrestricted Site Access
And where addressed to any URL
Block access to this site and display Blocked page
And do not process any further standard rules