You can access the Groups window at Policies > Groups.
'Groups' are groups of Clients that share the same set of filtering Policies. There are two types of Groups: Groups with 'Advanced' options and 'Simple' Groups.
The ‘Simple' Group option is used to quickly create a Group. These Groups have no Policies and therefore no Policy Event Calendar. You can apply Category Templates, Custom Categories, Local and Shared Lists as well as Quick Reports.
With advanced Groups, you can assign Policies, a Policy Event Calendar, Clients, administration Accounts and enable Quick Reports as well as other features discussed later.
The Simple Groups tab lets you view and create a ‘Simple Group’. Simple Groups have no Policy and therefore no Policy Event Calendar. To Create a Group, click the Create Group button, select the icon, and enter the ‘Group Name’ with no spaces and an optional description. Click Save to add the Group. To view or modify an existing Group, click the Group to display the Group properties. You can assign Category Templates or Custom Categories can be applied. In addition, entries can be added Allow or Deny and Shared Lists can be applied. You can also assign Quick Reports.
For more information on the Simple Groups, please see 'Simple Group' documentation.
The rest of this document will discuss the advanced Groups option.
The Groups List tab displays a list of Simple and advanced Groups. With advanced Groups, you can assign Policies, a Policy Event Calendar, Clients, administration Accounts and enable Quick Reports as well as other features discussed later.
The Header bar displays these items.
Group creation can generally be divided into Attributes and Preferences.
Attributes are the functions assigned to a Group. You can assign Polices and their related Categories to a Group and then apply Policy Events, the time when these Policies are applied, to the Policies. A Deny Page can be assigned to display for a specific Group as well as Quick Reports. You can also assign Clients (Workstations or Users) to each Group.
Preferences are the configuration settings for the Group. You can create or reset your Group based on a Template or an existing Group. You can set the Logging Level and Language as well as Enforced Categories for each Group. You can specify a Timezone and you can also choose to specify Authentication Redirect as your filtering type.
Template-driven Group and Policy management allows you to standardize Group settings using WebAdmin, Policy and Category Templates.
A WebAdmin Template contains the Policy Templates with their Categories, URL List entries and other settings. A WebAdmin Template also specifies Policy Events, a Group Deny Page, Logging Mode, Client Thresholds, Group Language, Timezones, Enforced Categories and IP Range Restrictions (when ‘Enabled Group Restrictions’ is applied). If a WebAdmin Template is enabled as a ‘Profile Template’, it can be used by the ‘Profile Manager’.
Go to Policies > Groups and click the Templates tab.
You can set the default Group that is used for new Groups.
To set the Default WebAdmin Template:
1. Go to Policies > Groups and click the Templates tab.
2. Select the Set Default, tab.
3. Select the Group from the Select Group dropdown list.
4. Click Save Changes.
Any Group can be designated as a Template by opening the selected Group's edit window and checking the ‘WebAdmin Template' or the 'Profile Manager Template' checkboxes. The Group will then appear in the WebAdmin Templates lists. Deleting a WebAdmin Template will not delete the Group, it will only remove the Template designation.
See the 'Policy Management Templates' document for more information.
When you install Lenovo NetFilter, a default Group will be in the WebAdmin Groups window. You should configure the default Group before adding clients to the WebAdmin or creating any other Groups. This default Group acts as a “safety net” for the filtering system, as well as a useful template for creating other groups by cloning the default group.
The Lenovo NetFilter server assigns unknown requests (requests where the client is not specified or found in the policy database) to this group. To protect potentially vulnerable users, this default group should have limited internet browsing access. It is recommended that you maintain limited browsing access of this default group and never delete it.
You can set the Default Group by clicking the Set Default Group tab in the ‘Groups' window. The ‘Select Group’ field has an auto-complete function. Start typing the name of the Group you wish to be the default. When done, click the Save Changes button.
Depending on preferences, there are three types of windows that can display when the Create Group tab is chosen.
By default, and with no WebAdmin Templates, this window displays. Enter the Group name and the optional description and click Submit. Please note that spaces are not allowed in Group names.
If there are WebAdmin Templates, a 'Templates' section displays that allows you to choose from a group of Templates. As noted in the WebAdmin Templates information, there must always be at least two templates designated to enable the Template selection.
If 'Copy Group from Existing Group' is selected in 'WebAdmin Settings' and at least one WebAdmin Template is enabled, a 'Groups' section displays that allows you to create or reset a Group based on an existing Group.
1. Go to Policies > Groups and click the Create tab.
2. Type a name for the group in the ‘Group Name’ box and a brief description of the group in the ‘Description’ box. The Group name can have no spaces.
3. If you are using WebAdmin Templates or depending on WebAdmin Settings, the 'Hide Templates' and 'Hide Group' options display. You can select either a Group Default Template or Copy Settings from existing Groups.
4. Click Submit.
5. The ‘Group Policy’ page for the new group appears.
6. From here you can choose the different tabs to modify the Group settings.
To modify group attributes, go to Policies > Groups and click the Group you wish to edit. The Group Policy for that Group displays. The tabs at the top of the page let you modify various functions. Selecting a tab also displays additional buttons and checkboxes.
Use the ‘General’ tab to modify Group name and description, create a Group Deny Page, specify logging, language, Group Timezones and enforced categories. You can also specify the Policy Categories.
Use this tab to modify a Group name and Description. You can also modify how you want to use the Policy Settings.
The Categories tab allows you to select the Category Template would wish applied to the Group or choose the number of Categories assigned through the Custom Template.
Use this option to create a Deny Page for this Group. See the ‘Policy Management - Custom Deny Pages’ document for more information.
Use this tab to set Templates, Logging, Timezones, Enforced Categories, and Language. Client Thresholds can also be set if enabled.
Use this option to Clone the selected Group. You will be given the opportunity to create a new name and description for the group. See 'Advanced Tab' settings below.
Use this option to surf the Internet using the Group’s permissions. This feature allows you to surf through websites in accordance to a chosen group’s policy and to test filtering rules without implementing a client. The Surf Using Group button is meant for a one-off test. You cannot use it to test several URLs at once. Do not use the Back button to try another URL.
Use this tab to modify a Group name and Description. You can also modify how you want to use the Policy Settings.
The Allow All/Deny All lets you pause filtering or deny all URLs for a Group. By default, 'Use Policy Settings' is selected. Select either 'Allow All Until' or 'Deny All Until' and set the time limit.
The Group’s General tab displays the Categories tab. This tab displays for the Group if it has a Policy. It allows you to select the Category Template would wish applied to the Group. You can also make a custom selection of Categories by using the Custom option.
You can also choose from a list of available Category Templates.
You can specify a deny page to display for a specific Group. In this example we want to create a new page that will display for the Western Students Group.
1. Go to Policies > Groups and click on the Group you wish to Modify.
2. In the General tab, click the Deny Page tab.
3. In a new install, the page will display a message that no custom content has been specified. Click the Create Content button.
See the ‘Creating a Group Deny Page’ documentation for more information on Group Deny Pages or see ‘Custom Deny Pages’ for advanced information.
If this box is checked, the selected Group can be designated as a WebAdmin Template.
Profile Manager Template
This option enables the selected template as a Profile Manager Template.
Client Threshold Limiting
This option enables 'Client Threshold Limiting' for the Group. This is not displayed by default. See 'Configuration – Client Abuse Thresholds' for more information.
Use this option to select the Logging level for this Group. Choices are: Log Everything (default), No Logging, Log Allowed Requests Only, and Log Denied Requests Only.
Log File Name Tag
Use this option to write logs for Groups into the same file. This tag is used with the lm5_group_multiwriter and lm5_tag_multiwriter options used in logging. In the Reporter, reports can be generated for Groups set up with this option.
Use this option to change the Timezone for the Group. The Group specific Timezone affects Group Policy Events for a group. It can be useful if some Groups reside in a timezone that doesn’t match the Policy Server timezone and the Group has multiple Policies that should be switched independent of the time of the day or day of the week. See the 'Policy Management - Timezones' documentation for more information.
You can have 'Enforced Categories' on a per Group basis. The Categories will be merged with Account enforced Categories but override System-wide enforced Categories. Enforced Categories can also be set in the WebAdmin Template. For more information on Enforced Categories, please see Policy Management - Categories.
Use Group Language
Use this option to select the language. By default, English and French are displayed as choices once ‘Use Group Languages’ is checked. For other languages to display, go to Administration > Configuration > WebAdmin Settings and scroll to ‘General Settings’. You can select more languages in the ‘Enables Languages’ field.
The Group must have a Policy with at least one Local List for this option to display. See ‘Group List Tools’ below.
If a Group Deny Page Language is set, it will take precedence over the Global Language but not over the Policy Deny Page Language. If there is no Group or Policy Deny Page Language set, it will use the Global Language.
1. Go to Policies > Groups and select a Group.
2. In the Advanced tab click the checkbox for the ‘Use Group Language’ option.
3. The available languages display.
4. Choose a language and click Submit. Your deny page language will be changed.
For other languages to display, go to Administration > Configuration > WebAdmin Settings and scroll to ‘General Settings’. You can select more languages in the ‘Enables Languages’ field.
The Advanced tab can display the ‘List Tools’ option. Use this option to add a List Entry to a selected Policy. The Group must have a Policy with at least one Local List for this option to display. You can only add entries to Policies with a Local List.
1. Go to Policies > Groups and click the Group you wish to clone.
2. Click the Clone tab.
3. Enter the name of your new Group and an optional description.
4. Click Continue.
5. Confirm the information in the window and then click View New Group.
6. The ‘Group Policy’ page for the new cloned Group will display.
The Advanced tab only displays if Templates are enabled or if one Template is enabled and 'Copy Group from Existing Group' is checked in 'WebAdmin Settings'. It allows you to reset the selected Group based on a WebAdmin Template or to copy settings from an already created Group. See the Policy Management Templates document for more information on creating and using Templates.
Use the Group Policies tab to add and modify Policies and Policy Events (Time durations when the Policy is applied).
The Policy Calendar tab is a visual display of the Policy Events applied to the Group. From this tab, you can add, modify, or delete Policy Events directly on the Policy Calendar page. You can create new Policies ‘on the fly’ while adding or editing Policy Events. The duration of a Policy Event can be multiple days, or have ‘No End Time’. Multiple Policy Events can be created with the same duration starting on different days. You can also create your own color scheme for reviewing Policy Events on the Policy Calendar. Please see Policy Events documentation for more information.
From Policy Create tab, enter the Policy name. Policy names can only contain alpha-numeric characters with no spaces. Enter an optional description and click Submit.
The List tab displays a list of all the Policies used by the Group. Clicking the Policy name opens the Policy for editing. If a Policy does not have a Policy Event (time duration), an Error displays beside the Policy name.
The Policies Events tab displays the Group’s Policy Events and their Start and Stop Time.
Use the Clients tab to add or modify Clients for the selected Group. A Client is a computer user, workstation, or subnet of workstations, as defined by client name, password, workstation address, or network subnet.
You can also create a Group from a selected Client. To accommodate the increased number of possible Categories, the Groups window Clients tab displays the number of Categories selected. Hovering over the message displays a tooltip with a list of assigned Categories. If the list is too long, the tooltip will be truncated. A full list of assigned Categories can be viewed by clicking on the Client.
You can create a Group from an existing Client. You can use this procedure when you discover that a Client belongs to an incorrect Group but a correct Group does not exist.
1. Go to Policies > Groups and click on the Group you wish to modify.
2. Choose the Clients tab and click on the Create Group from Client button. The ‘Step 1’ page displays.
3. Select the Client from the ‘Select Client’ list and click Next.
4. In the Step 2 page, select the options you require for your new group. You can do nothing with the Client (This is the default and the selected Client will not be moved to the new Group) or you can move the Client to the new Group you are creating. You can also rename the Group from the default. When done, click Next.
5. The message ‘Successfully created a group from the specified client’ displays.
6. You can now add a SysOp account to the Group or click the Back button.
Use the Managers tab to assign an Account to a selected Group.
An Account is a user with limited privileges that manages filtered clients in their group. Usually this person has some authority over the other users such as a teacher over a class of students, a manager over a group of workers, or a parent over a family. There are a variety of accounts available for delegating filtering administration.
1. In the Accounts window create a SysOp account. In this case, we have created a SysOp named Jacob_newley.
2. Go to Policies > Groups and click to select a Group.
3. Click on the Managers tab.
4. Click on the Assign Account dropdown list to display the Account names.
5. Select one or more Account names and click Submit.
6. Jacob Newley is added the Account Group Memberships for the group.
Use this option to input an IP range for the Group. The IP Range can be entered as a range (e.g. 192.168.4.1-192.168.4.24) or as a CIDR notation (192.168.4.0/24). Group Restrictions can also be set in WebAdmin Templates.
To enable the Group Restrictions tab.
1. Go to Policy Server Settings and add dbclientnamegrouprestrict to the groupclient_lookup_order at the beginning of the list.
i.e. groupclient_lookup_order dbclientnamegrouprestrict dbclientname dbip dbsubnet
2. Restart the Policy Server
3. Go to Administration > Configuration and click WebAdmin Settings.
4. Scroll down to ‘Group Client Settings’ section and place a checkmark in Enable Group Restrictions.
5. Please note that, when enabling this option after setting changing the Policy Server, you will still get the warning message.
This example with restrict the clients to the defined IP range. The dbclientnamegrouprestrict module we will use in Policy Server Settings will look up a user's group based on the username and make sure the user is in a range that is set for a Group. This can be used in deployments where the username is known such as with Squid or Client Filter.
The IP range can be used when proxy systems are shared between schools. It can keep students from sharing passwords to get less restrictive filtering policies.
1. Go to Policies > Groups, select the List tab and click the Group you wish to edit.
2. Click the Group Restrictions tab. (If you cannot see this tab, see the note above.)
3. Add the IP or IP range that would apply to the group.
4. Click Submit.
5. The IP range is added.
This tab is used with the ‘Authentication Redirect’ feature.
The Authentication Redirect feature enables users to authenticate and to be placed into a different filtering group based on this authentication. This is accomplished by creating a default policy that is configured to be the most restrictive policy. This is applied to either specific IP addresses or an entire network subnet. This restrictive default policy then utilizes the Authentication Redirect functionality to redirect filtered endpoints to an authentication portal where the user can authenticate and be placed into a new filtering group.
Please see the Authentication Redirect configuration documentation for more information.
This tab displays the ‘Quick Reports’ page which allows you to create Reports for the specified Group.
Quick Reports are a group of prepared reports that include some of the most used reports. Quick Reports are typically generated on a regular basis (daily, weekly, or monthly) so you can periodically review the Internet use on your network. You can create Global Quick Reports through the Reports menu, but you can also use the Quick Reports button to create ‘Quick Reports’ for the selected Group.
Close the ‘Show Reports’ window to display the enabled Quick Reports.
If you delete a Group with Group Reports assigned, a popup displays that asks if you want to delete the associated reports.
You can access the Group Policy page for a specific Group by selecting a log line choosing the More icon the Logs > Request Logs page. Choose Group Details to open the Group’s Policy page. Choose Group Search to open the ‘Group Search’ page. The pages open with the relevant information for that log line displayed.
In ‘Request Log Files’, SysOps can only view Groups they are assigned to.