Allow some sites and deny the rest

SOLVED
jparadis
Here to help

Allow some sites and deny the rest

Hi there, first time sending a message to the Meraki Community!

 

Maybe it's a stupid question, but I didn't find a way to do what I want with my MX64 on the web:

I have to install wireless computers to employees, but I want to restrict access to only some websites (eg: the intranet to see their pay, emails and the insurance company to print out forms, etc.). How can I do that?

 

First, I created a group policy and assigned it to my 2 clients.

  1. I tried to block port 80 and 443 with layer 7 rules and URL whitelist google.*
  2. I tried to deny access to the Meraki with a level 3 deny any rule and URL whitelist google.*

Thanks for your kind help!

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Use my method method.  Use content filtering, black list *, and then add in the allowed URLs to the wihtelist.

View solution in original post

14 REPLIES 14
PhilipDAth
Kind of a big deal
Kind of a big deal

Try using content filtering.  Blacklist the URL pattern:

*

 

Then add in the URLs you want them to be able to get to.  Note it only takes affects on new flows, so if you change it you don't always see the impact immediately.

BlakeRichardson
Kind of a big deal
Kind of a big deal

I am not sure I understand you correctly, do you want to block everything except a couple of websites i.e. really locked down or do you want to allow most websites apart from a few?

 

Depending on what you want will depend on how its done.

I want to allow access to some websites and block the rest.

PhilipDAth
Kind of a big deal
Kind of a big deal

Use my method method.  Use content filtering, black list *, and then add in the allowed URLs to the wihtelist.

Thanks for the answer!

So, you're telling me that in my group policy, I enter "*" in the "Blocked URL patterns" field and "*.google.com" in the "Whitelisted URL patterns" to test with Google?
PhilipDAth
Kind of a big deal
Kind of a big deal

Correct.

 

Note it only affects new TCP flows.  Because of this it doesn't always appear to "kick in" immediately.

Thanks PhilipDAth!
Works well after the client computer reset.
PhilipDAth
Kind of a big deal
Kind of a big deal

Yeah, used it a few times.

 

The thing that catches most people out is that it only applies to new TCP flows.  So you make a change, and it doesn't look like it is working.  You go away and get a coffee and then it is working.

One more thing: are you able to let Windows Update go through with these rules?

I added :
*.download.windowsupdate.com
*.au.windowsupdate.com
*.tlu.dl.delivery.mp.microsoft.com
to my whitelist as per https://support.microsoft.com/en-us/help/3175743/proxy-requirements-for-windows-update.

I get error 0x80d05001 when I try to update and http://download.windowsupdate.com is blacklisted when I test in the browser.

Maybe it's linked, but if I change google.ca to google.*, neither google.com or google.ca works. As if the wildcard doesn't works for me.
PhilipDAth
Kind of a big deal
Kind of a big deal

Those URLs will very a little bit depending on where in the world you are.  Does the below work?

 

*.windowsupdate.com

*.microsoft.com

Nice! Simply having "windowsupdate.com (and) microsoft.com" allow me to update. Seems like my system doesn't like the "*".

This is what I need except with the twist that the two business owners want their computers (on the same LAN) to have full Internet access but the others to be restricted to business required only sites. ANyone have any thoughts on how to do that? 

 

Thanks,

 

G

Apply the "whitelist" group policy to their two computers.

I finally used the "Blocked website categories" (nearly everything) with the following whitelist to let Gmail through (even if "Search Engines" is blocked):

  • mail.google.com
  • accounts.google.com
  • accounts.google.ca
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels