Setting up your Block Page and your Block Page Bypass
An important step in the Policy Configuration for Umbrella is ensuring you're giving the right information to your users if they are blocked under Security or Content categories. As the Umbrella administrator, you may wish to exempt users from being blocked during certain times and you can set up the rights to do that as well.
There are five parts to this article:
- Getting Started with Block Page Appearance Settings
- Using a Block Page Redirect Instead of a Block Page
- Creating a Block Page Bypass User
- Creating a Block Page Bypass Code
- Interacting with the Block Page as a User
A Block Page is the page that's displayed in the browser when a user of your Umbrella service tries to go to a website that's been blocked under the category defined by the Policy for the Identity that user falls under.
A Block Page Bypass is the method by which certain users who have been given special authority can bypass a normal Block Page.
There are two ways you can bypass a block page: having a user account (a bypass user) or having a special code (a bypass code).
A Block Page Bypass User is a special user account that gives the rights to certain individuals (or a group of individuals) to go to blocked sites while still being part of the enforcement given to the larger policy group they belong to.
A Block Page Bypass Code is a code that can be given to certain individuals or groups of individuals to allow them to go to some or all blocked websites until such time as the code expires.
|
Not all categories can be bypassed. If a user is blocked for a Security or Malware Category, the site is considered malicious and should not be accessed under any circumstances. If you think a domain shouldn't be blocked, please email us at security-block@opendns.com. If you'd like to know more about a block or have us review it in more detail, open a case by emailing umbrella-support@cisco.com with information about the domain and our support and security teams will review. The following Policy Settings can be bypassed:
|
Getting Started with Block Page Appearance Settings
To start, navigate to Policies > Block Page Appearance. Click the '+' icon at the top to create your first block page appearance:
- Set the description of your Block Page Settings first, as you will refer to this name when building policies
- If you'd like, set an e-mail address for yourself or the group of Administrators at your organization.
You can set the appearance of the Block Page to let users know:
- Who they should email if they would like to visit this page
- Which web URL they can go to for further information
- Which domain they tried to access. This can be added to a custom message with the [domain] variable.
- Show a custom logo, such as your company's brand or logo, so it's clear where the block is coming from.
You can also create different block pages for different types of blocking: Content, Destination Lists, Phishing or Security Settings. Just select the Differently radio button:
To upload a custom image, just click the checkmark for "Show a custom logo", then upload an image of whatever block page image you'd like your users to see.
Whatever settings you've picked can be previewed before you apply them to a policy
Using a Block Page Redirect instead of a Block Page
As an alternative to having a static block page, you can redirect users to another page such as the website for your Organization's Acceptable Use Policy.
If you redirect users to a different URL, you do not need to include http://. However, if you wish to send them to an encrypted web page, you should include https:// before the URL.
Note:
If a Policy has a Block Page User or a Block Page Code applied to it, the Block Page Redirect will be disabled. This is because it is not possible to bypass a block when the block immediate redirects to another page.
Setting up a Block Page Bypass User
A "Block Page Bypass" user is special username and password that can be given to one or more users in order to provide them the rights to bypass pages that are typically blocked through policy. This user can be thought of as being a special set of rights that are given to individuals as required. The Block Page Bypass user has no ability to log into the dashboard or do any administrative functions other than bypass blocked sites.
To create a block page user, go to Policies > Block Page Settings > Bypass Users. Alternately, the block page bypass user can be created by editing the Block Page Appearance in the summary for your Default Policy or any other policy. The edit for this setting is in the lower right corner of the policy summary:
Expand the "Bypass user" setting and select Create New:
To make an existing user into a bypass user, pick the user from the dropdown (the user must already exist) and select whether they should be able to bypass everything or just some categories & destination lists. When a block page shows up, the user then enters their credentials and bypasses it.
The "Block Page Bypass" user gives the rights to certain individual people, or a group of people to go to blocked sites while still being part of the enforcement given to the larger policy group they belong to.
To setup a brand new bypass user, that is, a user account that can be used to authenticate against the block page and continue browsing, first, create the user with the Block Page Bypass role.
Navigate to Settings > Accounts and create an account (click the '+' icon to add) and selectthe role for BPB User from the drop-down list.
Once you click Create in the lower right-hand corner, you'll be given a chance to Configure the Block Page Bypass settings for that account.
Click Yes and that will take you back to the Bypass Users settings. Alternately, if you click No Thanks, you can change the settings for the user you've created under Block Page Settings > Bypass Users or add the settings as part of the policy summary as described earlier.
Creating a Block Page Bypass Code
A Block Page Bypass Code is a code that can be given to users over e-mail, instant messenger or the phone to allow an instant bypass of a particular blocked page.
A code can be created quickly under Policies > Block Page Settings > Bypass Codes or added dynamically as part of the policy summary by clicking "Edit" for the Block page applied:
The Code can be set to either allow access to all sites or a subset of the content category or destination lists you've defined.
The code can be set to expire at a day in the future and at an hour of that date.
Tip:
If you want a code to never expire, set it for 10 years in the future as in the example below
WARNING!
If a Policy does not have a Block Page User or a Block Page Code applied to it, the Block Page Redirect will be disabled and the standard block page will appear. Codes and Users will not work unless they are first enabled.
Removing a Bypass Code
To remove a bypass code, open the Block Page Settings area on the left-hand side of the configuration tab, then select Bypass Codes. Expand the code you want to delete and simply hit delete and accept the warning:
Interacting with a Block Page As a User
As an administrator, you can preview the block page in the settings. However, not all elements of the page will be accurately reflected in the Preview Mode. This is a problem that's being worked on and will change in the future.
As a standard (non-bypass) user, if you were to go to a website blocked under your Umbrella Policy, you would see a standard block page like this. This example has a custom block page message that includes a link to an acceptable use policy from this Organization, as well as a custom logo for this Organization.
Note:
Keep in mind that the block page bypass will not work with domains blocked due to malicious activity (such as malware or phishing). You can only access the bypass block page if the domain was blocked due to content category settings or domain block lists. The "Admin" link will not appear if the domain was blocked as malicious activity.
At the bottom of the block page, there are two hyperlinks that may appear:
- Contact your network administrator—E-mail the administrator's email f you had optionally provided it in the Settings
- Admin—This allows a user with a bypass user or a code to access the part of the page that asks for that information. Below is the same block page for a Policy that has both a User and a Code configured for it.
Appended Umbrella HTTP Query Parameters
For templates of the information presented below, please see our template source GitHub!
When choosing to use custom block page, a qualifying event such as a bad or blocked domain name triggers Umbrella to call the URL specified and append several HTTP query parameters, including but not limited to the parameters defined in the following table.
| HTTP Parameter | Description |
|---|---|
| url |
ROT13 and Percent encoded URL (domain) that was entered by end-user. Encoding ensures pass-through to internal resource in environments where other firewall and filtering is employed. Encoded URL: jjj.cynlobl.pbz%2Fzntnmvar%2Fsrngherf%2F |
| type |
The request type that triggered the redirect event. Types include: |
| cats |
When the redirection is the result of a request blocked because it matches configured OpenDNS Web content filtering categories, those matches are presented as a Percent-encoded JSON object. For example, the domain entered by the user is found in the OpenDNS Nudity and Pornography categories, so the following is sent: |
Umbrella performs minimal validation of custom URLs to allow the use of the widest range of internal resources. The only requirements are that the URL have a scheme (i.e. the http:// part) and a domain (one or more alpha numeric characters after the scheme and before the optional trailing forward-slash).
Comments
0 comments
Article is closed for comments.