I'm looking for a reliable web filtering setup for approximately 300 users across multiple locations. We've previously used Fortigate with AD-based web filtering, which worked well until we transitioned to Azure AD. After joining devices to Azure AD, we encountered issues with logging into our domain controllers, which disrupted our group-based filtering. Currently, we have switched to Meraki MX for SD-WAN, but attempts at integrating AD for content filtering led to performance issues due to excessive WMI calls.
Management requests a solution that allows for exceptions for departments like marketing, which needs access to social media, and a short open window during lunch for general browsing. Ideally, the solution should handle standard web filtering while also incorporating AI threat detection features, and it should function effectively with both on-prem and Azure AD joined devices without compromising performance. Has anyone successfully implemented such a system?
5 Answers
Here's a tip: set up time-based policies for social media during lunch hours instead of maintaining a giant list of exceptions. For instance, you can allow general web access from 12:30 to 1:30 PM for everyone, but give marketing all-day access. This simplifies audits and helps maintain control. Also, ensure that your AI threat detection doesn't block legitimate activity, especially when people are working on marketing tasks.
With around 300 users, it's crucial to pick a web filtering solution that isn’t reliant on DC group memberships since Azure AD devices need to work seamlessly. Have you considered a cloud-native filter that uses tagging or policies based on Azure groups instead of GPOs? That could keep things running smoothly.
Since you're dealing with multiple locations and a mix of on-prem and Azure AD machines, ensure your filtering solution supports local enforcement when the cloud fails, plus cloud policies for Azure devices. Also, keep an eye out for comprehensive logging to monitor all users, or you could end up blind on Azure AD accounts.
You mentioned performance issues before, so it's vital to choose a filtering solution with its own appliance or VM, plus good exception handling for departments like marketing. Consider a lightweight AI threat detection module that runs alongside your filter rather than being built into it, so it doesn’t slow everything down.
While I'm not entirely sure how Cisco's Umbrella would fit your needs, it functions well as a DNS layer filter. I've seen it used in hybrid setups, and with the AD connectors, you can manage filtering based on AD group memberships effectively. We have around 2000 users on it, and it has some limitations, but it might be worth considering for your situation.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures