NxFilter not Blocking

[Michael Patrick]

I have integrated AD into NxFilter, however when I try to test using my own login to block facebook.com it does not work. The logs show it to be an anon-user with my IP navigating to Facebook.com. Could someone assist?

[Dime I]

Have you ran/installed nxlogon on your test computer?  All workstations need to have nxlogon run at startup/login for nxfilter to 'know' which specific user it's requesting.

[Michael Patrick]

I have and it is pointing to the IP address for the machine. It is now logging the username but still not blocking the website.

[Jinhee]

Several things to check,

1. Did you enable authentication on 'Config > Setup'?

  - I guess you did as you said you run NxLogon and see username in your log-view.

2. Do you use NxFilter as your only DNS server for your client system?

3. How did you block facebook.com? By whitelist with 'admin_block' option?

4. What do you get when you use 'nslookup facebook.com' against your NxFilter?

[Michael Patrick]

I did enable authentication, I do not use it as my only dns server just my primary, I blocked Facebook.com through the custom categories and added *.facebook.com 

NSLookup

Non-authoritative answer:

Name:    facebook.com

Addresses:  66.220.156.68

          66.220.156.68

[Michael Patrick]

Also I added the policy to my user account for that category. Sorry forgot to mention that

[Jinhee Lee]

So your secondary dns works. Make it the only dns server.

[Michael Patrick]

Trying that knocked me off the internet completely, so that could be why this is not working. I tested blocking it in admin block through whitelist and that worked. Since we are talking about removing the secondary, once I get the NxFilter machine to work as a primary by itself can I re-add the seconday? We need a failover solution in case the primary goes down.

[Jinhee]

Have one more NxFilter as your secondary DNS server. We support even clustering. This is actually for more than you can expect from a free sulution. But some of our users even use 3 NxFilter clustered. Seemed like an overkill to me though.

[Michael Patrick]

So in order for it to work we cannot use a normal dns server as a secondary? They both have to be an NXfilter device?

[Michael Patrick]

So I have only the NXfilter set up as my DNS server, I am on the internet now but it still is not blocking. The way I have done it is created a test called Facebook which blocks *.facebook.com then a test policy and added my own user account to the policy and ensured the Facebook category was checked under the blocked domains. Cleared all my cache and flushed my dns. I am still able to browse to facebook.com.

[Michael Patrick]

A little more information. I am able to block websites globally so I believe it is the policy having the issue. I am just not sure where in the policy I am messing up

[Michael Patrick]

Sorry to keep posting updates, I am noticing more as I move forward. The log is showing me to still be in the default policy even though the user list shows me to be in the test policy.

[Dime I]

You should probably block connect.facebook.net too

[Michael Patrick]

Wouldn't *.facebook.com cover that since * is a wildcard?

[Jinhee]

On your list the policy being shown is your user policy. But on NxFilter group policy comes before user policy. To find out which policy your user actually fall it click 'TEST' button on user list.

[Michael Patrick]

I figured it out.. It is applying my user group policy instead of the user specific policy.. now to find out how to stop that.

[Michael Patrick]

Is there any way to stop the group policy from taking over or to stop the groups from importing through AD and only have the users import?

[Dime I]

No because the difference is .net and .com

[Michael Patrick]

Oh I didn't see the .net my mistake. Thanks!

[Jinhee]

If you don't want to import groups use 'exclude keywords'. And group policy comes before for your convenience as many people want to do everything on AD side. Once you figure out all the policies and groups and users then you just move one user to another group when you want to apply a different policy to the user.

[Michael Patrick]

That worked! thanks.