cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Allow some sites and deny the rest

SOLVED
Here to help

Allow some sites and deny the rest

Hi there, first time sending a message to the Meraki Community!

 

Maybe it's a stupid question, but I didn't find a way to do what I want with my MX64 on the web:

I have to install wireless computers to employees, but I want to restrict access to only some websites (eg: the intranet to see their pay, emails and the insurance company to print out forms, etc.). How can I do that?

 

First, I created a group policy and assigned it to my 2 clients.

  1. I tried to block port 80 and 443 with layer 7 rules and URL whitelist google.*
  2. I tried to deny access to the Meraki with a level 3 deny any rule and URL whitelist google.*

Thanks for your kind help!

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: Allow some sites and deny the rest

Use my method method.  Use content filtering, black list *, and then add in the allowed URLs to the wihtelist.

14 REPLIES 14
Kind of a big deal

Re: Allow some sites and deny the rest

Try using content filtering.  Blacklist the URL pattern:

*

 

Then add in the URLs you want them to be able to get to.  Note it only takes affects on new flows, so if you change it you don't always see the impact immediately.

Kind of a big deal

Re: Allow some sites and deny the rest

I am not sure I understand you correctly, do you want to block everything except a couple of websites i.e. really locked down or do you want to allow most websites apart from a few?

 

Depending on what you want will depend on how its done.

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Here to help

Re: Allow some sites and deny the rest

I want to allow access to some websites and block the rest.

Kind of a big deal

Re: Allow some sites and deny the rest

Use my method method.  Use content filtering, black list *, and then add in the allowed URLs to the wihtelist.

Here to help

Re: Allow some sites and deny the rest

Thanks for the answer!

So, you're telling me that in my group policy, I enter "*" in the "Blocked URL patterns" field and "*.google.com" in the "Whitelisted URL patterns" to test with Google?
Kind of a big deal

Re: Allow some sites and deny the rest

Correct.

 

Note it only affects new TCP flows.  Because of this it doesn't always appear to "kick in" immediately.

Here to help

Re: Allow some sites and deny the rest

Thanks PhilipDAth!
Works well after the client computer reset.
Kind of a big deal

Re: Allow some sites and deny the rest

Yeah, used it a few times.

 

The thing that catches most people out is that it only applies to new TCP flows.  So you make a change, and it doesn't look like it is working.  You go away and get a coffee and then it is working.

Here to help

Re: Allow some sites and deny the rest

One more thing: are you able to let Windows Update go through with these rules?

I added :
*.download.windowsupdate.com
*.au.windowsupdate.com
*.tlu.dl.delivery.mp.microsoft.com
to my whitelist as per https://support.microsoft.com/en-us/help/3175743/proxy-requirements-for-windows-update.

I get error 0x80d05001 when I try to update and http://download.windowsupdate.com is blacklisted when I test in the browser.

Maybe it's linked, but if I change google.ca to google.*, neither google.com or google.ca works. As if the wildcard doesn't works for me.
Kind of a big deal

Re: Allow some sites and deny the rest

Those URLs will very a little bit depending on where in the world you are.  Does the below work?

 

*.windowsupdate.com

*.microsoft.com

Here to help

Re: Allow some sites and deny the rest

Nice! Simply having "windowsupdate.com (and) microsoft.com" allow me to update. Seems like my system doesn't like the "*".
New here

Re: Allow some sites and deny the rest

This is what I need except with the twist that the two business owners want their computers (on the same LAN) to have full Internet access but the others to be restricted to business required only sites. ANyone have any thoughts on how to do that? 

 

Thanks,

 

G

Kind of a big deal

Re: Allow some sites and deny the rest

Apply the "whitelist" group policy to their two computers.

Highlighted
Here to help

Re: Allow some sites and deny the rest

I finally used the "Blocked website categories" (nearly everything) with the following whitelist to let Gmail through (even if "Search Engines" is blocked):

  • mail.google.com
  • accounts.google.com
  • accounts.google.ca
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.