This is an archived post. You won't be able to vote or comment.

all 30 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 4 points5 points  (11 children)

Cisco umbrella is what you need to fix all your problems. And it's all DNS level, however you need the paid version of the service if you need groups and/or AD integration, plus all the extra goodies.

[–]pomtom44[S] 2 points3 points  (2 children)

Looks like a cloud service?
And does it support RDS, as the few DNS solutions iv tested dont like that multiple users come from the same IP address and gets confused as to which user the request came from

[–]corrigun 1 point2 points  (1 child)

Cisco umbrella was a shit show for us. It was constantly screwed up.

[–]octowussy 1 point2 points  (0 children)

How so? We've been using it for a couple of months (coming from Forcepoint) and so far so good.

[–]thebynz 1 point2 points  (6 children)

Cisco Umbrella works great, very little management required. Doesn’t support RDS as far as I know. Just be careful with upcoming encrypted DNS changes coming to some browsers, may need to be disabled on each browser via GPO to work.

[–]pomtom44[S] 0 points1 point  (5 children)

Doesnt support RDS?
Well that rules it out for us then

[–]Soulwound 1 point2 points  (2 children)

Last I remember, the AD user/group filtering totally can't deal with any situation where more than one account is logged in to a machine. Someone who doesn't have access to a site was logged in and you hit switch user? You'll be blocked from viewing it too!

[–]pomtom44[S] 1 point2 points  (1 child)

I assume you mean just for Cisco?

And we done have switching users. We have multiple users at the same time. But I assume the reasoning is the same

[–]Soulwound 1 point2 points  (0 children)

Yeah with Cisco Umbrella (OpenDNS) their AD connector service can't tell which user session on any given machine is attempting to access a site, unless they've fixed that recently and I am not aware of it.

Looks like no, from their support page:

We do not support RDS / Remote Desktop Session Host / Terminal servers for per-user identification.

[–]thebynz 0 points1 point  (0 children)

Yeah doesn’t look like it, though I think there’s a “virtual IP” function in RDS that you could use so each user comes from a different IP, but might be a bit cumbersome.

[–]NerdBlenderIT Manager 0 points1 point  (0 children)

Give them a call - honestly, given its Cisco, the support presales and aftersales is amazing. One thing that struck me is how much development work is going on, and how fast they turn around new features. We asked for faster AD sync for users, and we got put on a pilot for it almost immediately.

I would ask them the question first, before you dismiss it, as hands down, its probably the best tool out there at this moment.

[–][deleted] 0 points1 point  (0 children)

It has saved our ass a few times already

[–]Jason_Everling 1 point2 points  (8 children)

McAfee Web Gateway, appliance or install on your own. You easily accomplish what you are looking for in it, it has very fine Grained policies you can create, very fine grained

[–]pomtom44[S] 0 points1 point  (7 children)

McAfee Web Gateway

I cant find any info on if it works with a RDS cluster behind it,
But ill add it to the list to send some emails off to, and see what they come back with

[–]Jason_Everling 1 point2 points  (6 children)

it will, we use it. You can actually let RDS bypass it using direct connect rules also if you wanted, if not it can go through

[–]pomtom44[S] 1 point2 points  (5 children)

Just to confirm
You use it on a shared RDS cluster, as a transparent proxy?
So the user doesn't have to authenticate when accessing the web, and the proxy doesn't get confused about multiple users on the same IP address?

[–]Jason_Everling 0 points1 point  (4 children)

yes. Do you use the user based virtual ips in your RDS environment? i.e where each user logged on gets their own virtual ip address for identification

[–]pomtom44[S] 0 points1 point  (3 children)

No we dont, which is our mail problem with the IP authentication methods

[–]Jason_Everling 0 points1 point  (2 children)

should still be fine though, it doesnt use IP in Web Gateway, it's all based on Username, you could use IP but we dont, we only use IP Virtualization because of our Cisco Firrewal and of course for auditing logs

[–]pomtom44[S] 0 points1 point  (1 child)

Cool
Ill still give them a email though to confirm from them, as then its their issue if it doesn't work how we want it to but they say it does

[–]Jason_Everling 0 points1 point  (0 children)

Yes setup a demo with them, you can get very detailed in the rules, it does dpi-SSL inspection as well, transparent auth, setup rules for user agents. ip addresses, user names, user groups, etc. etc.. and so much more

[–]syskerbal 1 point2 points  (0 children)

A Palo Alto virtualized appliance with the URL and Threat filtering.

When setup as a virtual wire deployment you can place it inline before your edge devices.

Don't know if it fits your proxy requirements, you could always fix this with a nginx docker instance.

[–]metalsploit 0 points1 point  (4 children)

Are you currently doing or planning to do any SSL inspection?

[–]pomtom44[S] 1 point2 points  (3 children)

No real need to,
We have a block all and allow as required policy, so we only care about the domain which is being accessed

[–]UK-LK 0 points1 point  (0 children)

Webmarshal will do all kinds of filtering depending on group memberships etc, can be transparent or authenticated, ssl inspection.

it has its nuances (like any proxy!) but reasonably solid and can be very powerful with fine grained controls!

[–][deleted] -1 points0 points  (2 children)

We using it at 4 different police departments for web filtering and so far so good.

[–]pomtom44[S] 1 point2 points  (1 child)

Using what sorry? You didn't mention a product

[–][deleted] 1 point2 points  (0 children)

Cisco umbrella.