June 22, 2010
01 - Profiles Tab
The Access → Profiles tab lets you create Web profiles that can be assigned to Local, Windows or LDAP users for monitoring and/or blocking Web traffic. Web profiles can be utilized equally well for Bridge (transparent) mode and Proxy mode installations.
Profiles are simply a named container for one or more named ACLs (Access Control Lists). ACLs simply identify Web Categories that are to be monitored and/or blocked. Multiple ACLs may be created and applied at specific non-overlapping times for flexibility, i.e., from 8am to 12 noon shopping is not ok, but from 12 noon to 1pm shopping IS ok, and at 1pm shopping is not ok again. Note that Profile names must be unique, but the same ACL name can be used across multiple profiles, 'lunch' for example.
This topic will address default profiles, provide an example of profile creation, explain ACL checkbox options, and point out how profiles are assigned to Networks, Local users, Windows users, or LDAP users.
iPrism ships with two (2) default Web profiles that display in the Profile List frame. They can be used "as is", modified, or deleted. The IM/P2P default profiles are:
BlockOffensive - Blocks Web traffic deemed offensive.
PassAll - Blocks no Web traffic.
Selecting one of the above from the drop-down will display the profile name and related ACL. For example, select BlockOffensive, the lower frame now says Viewing BlockOffensive. Then click View in the Access Control List frame. This displays ACL 1, showing all Groups of Web categories, included those blocked. Click Ok to exit the ACL screen, and you will find that the monitor and block settings of ACL 1 (in purple) are applicable to the purple area of the ACL Scheduling Grid to the left, that is to say ACL 1 is applied 24 hours a day, 7 days a week (7x24) by default.
To create your own example profile in just a few steps, do the following:
From Access → Profiles → Profile List frame, click the Add button, and enter a Profile Name "Example" and click Ok to launch the ACL screen. A default name of ACL 1 is created automatically, and all categories are Monitored by default. Monitored categories can be reported on using Reports Manager, un-monitored categories cannot. Yellow/Red boxes are used to indicate Monitored and Blocked:
Tip: Create your example profile first. Afterwards, come back and re-visit these ACL related details and options.
Change ACL Name to "Work"
Click Toggle All bar until all the checkboxes are empty
Click Sex and Questionable Activities bars until Block is checked, and Monitor is unchecked.
Scroll down to Business, block online auctions, consumer shopping, and specialized shopping. Click Ok to save the "Work" ACL.
Under the Access Control List frame, click Add, name the ACL "Lunch", Toggle All to uncheck all categories, then configure Sex and Questionable Activities the same as "Work" but do not block the shopping categories. When done click Ok. You should now have Work/Lunch ACLs indicated by different colors.
As soon as a second (2nd) ACL exists, you now have the option of scheduling the ACL on the scheduling grid to the left. Apply "Lunch" to the 12pm time slot, Monday through Friday. There are two (2) ways to do this:
Select "Lunch", and click the 12pm box 5 times (Monday through Friday) on the grid. This is called 'painting the grid'. To undo any mistaken scheduling, fix it by selecting "Work" and re-painting over the mistake.
Select "Lunch", click the zoom control (+) to get a more granular time line (every 15 minutes instead of every hour), and select multiple boxes using your mouse (position the pointer, click and hold, move mouse). Select 12pm to 12:45pm.
When you let go of the mouse button, the grid is 'painted'. This can be done zoomed in (15 minute timeline) or zoomed out (hourly timeline).
In summary, here are all the ACL scheduling methods:
'Painting' the grid with your mouse.
Clicking an individual cell.
Clicking an individual cell, pressing the [Shift] key, and then clicking on the last cell lets you paint a range.
Clicking a specific day-of-the-week header to paint the entire day.
Clicking a specific time-slot header to paint that time across the entire week.
Done! You have created an example 2 ACL profile.
As a followup, here is a more complex 'Office' example, using four (4) ACLs:
'Allow All' allows full Internet access. This ACL is active before and after working hours on Monday through Friday. Users have unrestricted access to the Internet during these times.
'Work' and 'Lunch' represent two different filtering levels that are applied during the work day, much like the example you created above.
'Deny' applies to weekends. This ACL blocks all Internet access, ensuring no Web access during this time.
Once you have created your own profiles, you can save time creating variants by selecting a profile, and using Copy to duplicate it, but with a different name. You may then Add, Edit or Delete ACLs to suit your requirements. Note: You cannot delete the Default ACL (the one initially named ’r;ACL 1’) from any profile.
If a profile is no longer needed, select it and use Delete to remove it. Note that you will be prompted for a 'replacement' profile to be used in place of the one being removed. If the profile you are removing is not assigned to any networks or users, then this selection is irrelevant, i.e., select anything. However, if the removed profile IS assigned to networks or users, carefully select a valid replacement. iPrism will substitute this profile in all places where the deleted profile may be in use.
New profiles are not active until assigned to either:
Assigning profiles to networks provides IP address filtering and reporting, and is easily done from Access → Networks. Simply select the Web and IM/P2P profiles to be used for a selected network, which can be an individual IP address, or more typically, an IP address range representing a group of machines, a subnet, or the entire network.
Forcing users to authenticate (login) means iPrism can track activity by username, providing superior accountability and reporting as compared to IP address filtering. Please see:
About Profiling by Username