Restricting access to only a specific website

  • 1
  • Question
  • Updated 4 years ago
  • Answered
Hi all, I have a client (museum) who is looking to set up a public access network and restrict access only to their website (providing audio tours). 
My initial thought is to set the captive portal to point to this site/page but how do I stop them going beyond this to the world?

I have to put my hands up and say that I am being very lazy, coming to the community first before doing any deep dive but there is no point reinventing the wheel if there is a tried and trusted way that people are doing this already!

Thanks in advance for any suggestions.
Photo of Gerard

Gerard

  • 6 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of James Forbes

James Forbes

  • 11 Posts
  • 6 Reply Likes
This can be accomplished in the User Profile Firewall for wireless clients. Within the firewall is an "application" option for creating application / website based firewall rules. Within the application rules for the firewall are customizable application signatures. The customer rule is configured under Configuration-->Common Objects-->Application Services-->Custom Applications-->Add. Once created here you can apply it in the User Profile firewall.










Photo of Gerard

Gerard

  • 6 Posts
  • 0 Reply Likes
Hi James, Thanks for the suggestion. We have been playing around with this but have not had much success. Can you take a look at the images below and let me know where we have gone wrong?


Photo of James Forbes

James Forbes

  • 11 Posts
  • 6 Reply Likes
Gerard,

Move the "Does it work" policy to the "From-Access" portion of the IP Firewall Policy. Those titles are a bit misleading. The From Access means that the policy will be applied to traffic coming "From" the Wireless client as opposed to traffic going "To" the wireless client.
Photo of James Forbes

James Forbes

  • 11 Posts
  • 6 Reply Likes
Gerard,

Also, rule number 2 can be an Any Any Any Deny. Just deny everything at the end and only the traffic that matches rule number 1 will be allowed.
Photo of Gerard

Gerard

  • 6 Posts
  • 0 Reply Likes
Thanks James. I'll try that in the morning and will report back.

Photo of Gerard

Gerard

  • 6 Posts
  • 0 Reply Likes
Hi James, back again and starting to feel like an amateur :(
Still can't get the desired result

Photo of James Forbes

James Forbes

  • 11 Posts
  • 6 Reply Likes
I overlooked this earlier. You need to allow DHCP and DNS for this to work. Rule 1 should be Any Any DHCP-Server allow. Rule 2 should be Any Any DNS allow.

Then your two other rules. Give that a shot and let me know. Also when you test, check your IP address, ping by IP, and ping by host name to see what if anything is not working.
Photo of Melissa J

Melissa J

  • 12 Posts
  • 3 Reply Likes
I have a similar situation and following your tips James, I have been unable to get this operational.

I have tried the default action on the firewall policy to be both 'Permit' and 'Deny' without success. I wonder if there is a step I'm also missing? Is it possible to ask that you quickly check the list above & see if that's all that is required?

Also - I would be interested if you have had any success Gerard. Thanks
Photo of James Forbes

James Forbes

  • 11 Posts
  • 6 Reply Likes
Let's try a different approach. First see if you can get client traffic to pass with no firewall rule at all. In other words no restrictions just to check if everything works before making things more complicated. Once you get the User Profile to work, then start to squeeze it down. I suggest doing a policy that allows any http and https as shown in the screen shots. Get that to work than add your desired rules and test again.



This policy will allow the client to acquire an IP address through DHCP, resolve host names with DNS, surf anywhere using HTTP and HTTPS, but no other network service. Once you successfully test this policy, get rid of rules 3 and 4 and replace with your application (web site allow rule). Also maintain rule 5 to deny everything that doesn't fall into that category.