URL Rules

These rules allow the administrator to limit access to Web pages with URLs that meet certain criteria. URL rules can also enforce user authentication by re-directing browsers to the authentication page (see chapter Firewall User Authentication). This means that the authentication page is not opened manually by the user when accessing a page that requires authentication.

To define URL rules go to the URL Rules tab in Configuration / Content Filtering / HTTP Policy.

Rules are read starting from the top. The list can be re-ordered using the arrow buttons at the right side of the dialog window. If a requested URL passes through all rules without any match, access to the site is allowed. All URLs are allowed by default (unless denied by a URL rule).

The following items (columns) can be available in the URL Rules tab:

  • Description description of a particular rule (for reference only). You can use the checking box next to the description to enable/disable the rule (for example, for a certain time).

  • Action action which will be performed if all conditions of the rule are met (Permit access to the page will be allowed, Deny connection to the page will be denied and denial information will be displayed, Drop access will be denied and a blank page will be opened, Redirect user will be redirected to the page specified in the rule).

  • Condition condition which must be met to apply the rule (e.g. URL matches certain criteria, page is included in a particular category of the ISS OrangeWeb Filter database, etc.).

  • Properties advanced options for the rule (e.g. anti-virus check, content filtering, etc.).

  • IP Groups IP group to which the rule is applied. The IP groups include addresses of clients (workstations of users who connect to the Internet through WinRoute).

  • Valid Time time interval during which the rule is applied.

  • Users List list of users and user groups to which the rule applies.

Note: The default WinRoute installation includes several predefined URL rules. The rules are inactive by default. WinRoute administrators can enable or edit them if desirable.

URL Rules Definition

To create a new rule, select a rule after which the new rule will be added, and click Add. You can later use the arrow buttons to reorder the rule list.

Note: URLs which do not match with any URL rule are available for any authenticated user (any traffic permitted by default). To allow accessing only a specific web page group and block access to other web pages, a rule denying access to any URL must be placed at the end of the rule list.

Use the Add button to open a dialog for creating a new rule.

Open the General tab to set general rules and actions to be taken.

Description

Comment on the appropriate rule function (information for WinRoute's administrator).

If user accessing the URL is

This option specifies on which users the rule will be applied:

  • any user for all users (no authentication required).

  • selected user(s) for selected users or/and user groups who have authenticated to the firewall.

    Use the Set button to open a dialog where users and groups can be selected (hold the Ctrl and Shift keys to select more users/groups at once).

Note: In rules, username represents IP address of the host fro which the user is currently connected to the firewall (for details, see chapter Firewall User Authentication).

And URL matches criteria

Specification of URL (or URL group) on which this rule will be applied:

  • URL begins with this item can include either entire URL

    (i.e. www.kerio.com/index.php) or only a substring of a URL using an asterisk (wildcard matching) to substitute any number of characters (i.e. *.kerio.com*)

  • is in URL group selection of a URL group which the URL will belong to (see chapter URL Groups)

  • is rated by ISS OrangeWeb Filter rating system the rule will be applied on all pages matched with a selected category by the ISS OrangeWeb Filter plug-in (see chapter Content Rating System (ISS OrangeWeb Filter)).

    Click on the Select Rating... button to select from ISS OrangeWeb Filter categories. Read more in chapter Content Rating System (ISS OrangeWeb Filter).

  • is any URL where server is given as IP address by enabling this option users will not be able to bypass URL based filters by connecting to Web sites by IP address rather than domain name.

Action

Selection of an action that will be taken whenever a user accesses a URL meeting a rule:

  • Allow access to the Web site

  • Deny access to the Web site requested page will be blocked. The user will be informed that the access is denied or a blank page will be displayed (according to settings in the Advanced tab see below).

Tick the Log option to log all pages meeting this rule in the Filter log (see chapter Filter Log).

Go to the Advanced tab to define more conditions for the rule or/and to set options for denied pages.


Valid at time interval

Selection of a time interval within which the rule will be valid (out of this interval the rule will be inactive). Use the Edit button to open a dialog where time ranges can be modified (for details see chapter Time Ranges).

Valid for IP address group

Selection of IP address group on which the rule will be applied (client addresses). Use the Any option if you intend to make the rule independent of client addresses.

Click on the Edit button to open a dialog where IP addresses can be edited (for details see chapter Address Groups).

Valid if MIME type is

The rule will be valid for a certain MIME type only (for example, text/html HTML documents, image/jpeg images in the JPEG format, etc.).

You can either select one of the predefined MIME types or define a new one. An asterisk substitutes any subtype (i.e. image/*). An asterisk stands for any MIME type the rule will be independent of the MIME type.

Denial options

Advanced options for denied pages. Whenever a user attempts to open a page that is denied by the rule, WinRoute will display:

  • a page informing the user that access to the required page is denied as it is blocked by the firewall. This page can also include an explanation of the denial (the Denial text item).

    The Unlock button will be displayed in the page informing about the denial if the Users can Unlock this rule is ticked. Using this button users can force WinRoute to open the required page even though this site is denied by a URL rule. The page will be opened for 10 minutes. Each user can unlock a limited number of denied pages (up to 10 pages at once). All unlocked pages are logged in the Filter log (see chapter Filter Log).

    Notes:

    1. Only subscribed users are allowed to unlock rules.

    2. If any modifications are done within URL rules, all unlock rules are removed immediately.

  • a blank page user will not be informed why access to the required page was denied. It will be as if the server is unavailable and a connection could not be established.

  • another page user's browser will be redirected to the specified URL. This option can be helpful for example to define a custom page with a warning that access to the particular page is denied.

New rules will be added below the rule that had been marked before the Add button was used. Use the arrow buttons on the right side of the dialog window to locate the new rule in the list.

You can use the checkboxes next to rules to temporarily disable them without needing to delete and reconfigure the rule if it should be needed at a later time.

Note: Access to URLs which do not meet any rules are implicitly allowed. If you intend to allow access to a limited URL group while denying everything else, you must define a rule that will deny access to any URL (using '*') at the end of the list.

Open the Content Rules tab (in the HTTP Rules section) to specify details for content filter rules.


WWW content scanning options

In this section you can define advanced parameters for filtering of objects contained in Web pages which meet the particular rule (for details refer to chapter Content Rules). These parameters will be applied only to users which will not be allowed to override Content filter rules. Users allowed to override these rules use their custom settings.

One of the following alternatives can be set for each object type:

  • Allow these objects will be displayed.

  • Deny these objects will be filtered out of the page

  • Default global rules or custom rules of a particular user will be applied to such objects (this implies that this rule will not affect filtering of such objects)

Deny Web pages containing ...

Use this option to deny users to access Web pages containing words/strings defined in the Configuration/HTTP Policy section (for details refer to chapter Filtering by Words).

Scan content for viruses according to scanning rules

Antivirus check according to settings in the Configuration / Content Filtering / Antivirus section will be performed (see chapter Antivirus Check) if this option is enabled.

HTTP Inspection Advanced Options

Click on the Advanced button in the HTTP Policy tab to open a dialog where parameters for the HTTP inspection module can be set.

Use the Enable HTTP Log and Enable Web Log options to enable/disable logging of HTTP queries (opened web pages) to the HTTP log (see chapter HTTP Log) and to the Web log (refer to chapter Web Log).

You can also select the format of the log for the Enable HTTP Log item (Apache access log or Squid proxy log). This may be important especially when the log would be processed by a specific analysis tool.

Both HTTP and Web logs are enabled and the Apache option is selected by default.

Use the Apply filtering rules also for local server to specify whether content filtering rules will be applied to local WWW servers which are available from the Internet (see chapter Traffic Policy). This option is disabled by default the protocol inspector only scans HTTP protocol syntax and performs logging of queries (WWW pages) according to the settings.

Additional Links

Search

Support

Documentation

Authorization

 
Forgot your password?
Register

Subscribe

Subscribe to company news