Articles in this section

See more

Setting up a Block Page, a Block Page Bypass User and a Block Page Bypass Code

Avatar
Matt Prytuluk
  • Updated
Follow

Setting up your Block Page and your Block Page Bypass

 

An important step when configuring policies is to ensure that you're giving the right information to your users if they are blocked under Security or Content categories. As the Umbrella administrator, you may wish to exempt users from being blocked during certain times and you can set up the rights to do that as well.

Some helpful terms to know:

  • Block Page—The page that's displayed in the browser when a user of your Umbrella service tries to go to a website that's been blocked under the category defined by the Policy for the Identity that user falls under. 
  • Block Page Bypass—The method by which certain users who have been given special authority can bypass a normal Block Page. There are two ways you can bypass a block page:  having a user account (a bypass user) or having a special code (a bypass code).  
  • Block Page Bypass User—A special user account that gives the rights to certain individuals (or a group of individuals) to go to blocked sites while still being part of the enforcement given to the larger policy group they belong to. 
  • Block Page Bypass CodeA code that can be given to certain individuals or groups of individuals to allow them to go to some or all blocked websites until such time as the code expires. 

Not all categories can be bypassed. If a user is blocked for a Security or Malware Category, the site is considered malicious and should not be accessed under any circumstances. If you think a domain shouldn't be blocked, please email us at security-block@opendns.com. 

If you'd like to know more about a block or have us review it in more detail, open a case by emailing umbrella-support@cisco.com with information about the domain and our support and  security teams will review. 

The following Policy Settings can be bypassed:

  • Content category blocks
  • Destination list blocks (these are domain lists you've created)
  • The phishing security block

 

Getting Started with Block Page Appearance Settings

 
  1. Navigate to Policies > Block Page Appearance and click the + (Add) icon.

    Screen_Shot_2017-06-21_at_2.55.40_PM.png

  2. Give your block page a meaningful name and then select how to treat block pages: The Same or Differently.

    If you select Differently, you can select contextual block pages for different types of blocking: Blocked by Category SettingBlocked by Destination List SettingBlocked by Phishing Setting or Blocked by Security Setting.

    Optionally select for display a default message, select a custom message, or redirect users to a URL.

  3. Click Preview Block Page at any time to see what your Block page will look like.

  4. You can optionally check Allow blocked users to contact an admin from the block page and add a graphics file to display as a custom logo on the block page.

    This brands the block page, making it clear where the block is coming from.

 

Using a Block Page Redirect Instead of a Block Page

 

As an alternative to having a static block page, you can redirect users to another page such as the website for your Organization's Acceptable Use Policy. 

If you redirect users to a different URL, you do not need to include http://. However, if you wish to send them to an encrypted web page, you should include https:// before the URL.

 

Note:

If a Policy has a Block Page User or a Block Page Code applied to it, the Block Page Redirect will be disabled. This is because it is not possible to bypass a block when the block immediate redirects to another page.

 

 
 
You can set a redirect for some types of blocks but not others.  In this example, only Category Setting blocks are forwarded to the Acceptable Use landing page for the example organization:

Screen_Shot_2017-06-21_at_4.00.07_PM.png

 

Setting up a Block Page Bypass User

  

A "Block Page Bypass" user is special username and password that can be given to one or more users in order to provide them the rights to bypass pages that are typically blocked through policy. This user can be thought of as being a special set of rights that are given to individuals as required. The Block Page Bypass user has no ability to log into the dashboard or do any administrative functions other than bypass blocked sites.  

  1. Navigate to Policies > Block Page Settings > Bypass Users. Alternately, the block page bypass user can be created by editing the Block Page Appearance in the summary for your Default Policy or any other policy. The edit for this setting is in the lower right corner of the policy summary.

    bypass_users.jpg

  2. From the Bypass User drop-down list, choose a <user>.
    When a block page shows up, the user then enters their credentials and bypasses it.

  3. Select how the user can bypass a block page.
  4. Click Save.

    The "Block Page Bypass" user gives the rights to certain individual people, or a group of people to go to blocked sites while still being part of the enforcement given to the larger policy group they belong to.  

    Screen_Shot_2017-06-21_at_6.26.39_PM.png

 

To setup a brand new bypass user, that is, a user account that can be used to authenticate against the block page and continue browsing, first, create the user with the Block Page Bypass role.

  1. Navigate to Settings > Accounts and click the + (Add) icon.
  2. When creating an account, choose BPB User from the drop-down list.  

    Screen_Shot_2017-06-21_at_6.29.50_PM.png

  3. Once you click Create, you'll be given a chance to Configure the Block Page Bypass settings for that account.

    Screen_Shot_2017-06-21_at_6.32.28_PM.png

  4. Click Yes and that will take you back to the Bypass Users settings.
    Alternately, if you click No Thanks, you can change the settings for the user you've created under Block Page Settings > Bypass Users or add the settings as part of the policy summary as described earlier.

 

Creating a Block Page Bypass Code

 

A Block Page Bypass Code is a code that can be given to users through e-mail, instant messenger or the phone to allow an instant bypass of a particular blocked page. 

  1. Navigate to Policies > Block Page Settings > Bypass Codes or from the Summary page of a policy click Edit for the Block page applied.

    Screen_Shot_2017-06-21_at_7.21.27_PM.png
  2. Set the code to either allow access to all sites or a subset of the content category or destination lists you've defined.  
  3. The code can be set to expire at a day in the future and at an hour of that date. 
  4. Click Save.

 

Tip:

If you want a code to never expire, set it for 10 years in the future as in the example below

 

 
 

WARNING!

If a Policy does not have a Block Page User or a Block Page Code applied to it, the Block Page Redirect will be disabled and the standard block page will appear. Codes and Users will not work unless they are first enabled.

  

 

Removing a Bypass Code

 
  1. Navigate to Policies > Block Page Settings > Bypass Codes.
  2. Expand the code you want to delete and simply hit delete and accept the warning:

    Screen_Shot_2017-06-21_at_7.26.45_PM.png

 

Interacting with a Block Page As a User

 

As an administrator, you can preview the block page; however, not all elements of the page will be accurately reflected in Preview Mode. This is a problem that's being worked on and will change in the future.

As a standard (non-bypass) user, if you were to go to a website blocked under your Umbrella Policy, you would see a standard block page like this. This example has a custom block page message that includes a link to an acceptable use policy from this organization, as well as a custom logo for this organization.  

 

Note:

Keep in mind that the block page bypass will not work with domains blocked due to malicious activity (such as malware or phishing). You can only access the bypass block page if the domain was blocked due to content category settings or domain block lists. The "Admin" link will not appear if the domain was blocked as malicious activity.

 


 

 

sample_block_pag.jpg

At the bottom of the block page, there are two hyperlinks that may appear:

  • Contact your network administrator—E-mail the administrator's email f you had optionally provided it in the Settings
  • Admin—This allows a user with a bypass user or a code to access the part of the page that asks for that information. Below is the same block page for a Policy that has both a User and a Code configured for it.

 

Appended Umbrella HTTP Query Parameters

 

For templates of the information presented below, please see our template source GitHub!

When choosing to use custom block page, a qualifying event such as a bad or blocked domain name triggers Umbrella to call the URL specified and append several HTTP query parameters, including but not limited to the parameters defined in the following table.

HTTP Parameter Description
url

 

ROT13 and Percent encoded URL (domain) that was entered by end-user. Encoding ensures pass-through to internal resource in environments where other firewall and filtering is employed. 
ROT 13 & Percent Encoding Example :
Original URL: www.playboy.com/magazine/features 

Encoded URL: jjj.cynlobl.pbz%2Fzntnmvar%2Fsrngherf%2F
type

 

The request type that triggered the redirect event. Types include:
block- domain blocked due to configured Web content filtering 
phish- domain redirected due to url being known phishing site
cats

 

When the redirection is the result of a request blocked because it matches configured OpenDNS Web content filtering categories, those matches are presented as a Percent-encoded JSON object.

For example, the domain entered by the user is found in the OpenDNS Nudity and Pornography categories, so the following is sent: 
Original JSON object: ["Nudity","Pornography"] 
Encoded JSON object: %5B%22Nudity%22%2C%22Pornography%22%5D

Umbrella performs minimal validation of custom URLs to allow the use of the widest range of internal resources. The only requirements are that the URL have a scheme (i.e. the http:// part) and a domain (one or more alpha numeric characters after the scheme and before the optional trailing forward-slash). 

Related articles

Comments

0 comments

Article is closed for comments.