This article applies to the Smoothwall Filter & Firewall On-Prem solution in either Hardware or VM form.
What is a Walled Garden?
A 'Walled Garden' environment is a filtering policy setup whereby a specific group of users (identified either by their Smoothwall group map or as individual users selected in the creation of the policy set) is prohibited from accessing all but a very select number of domains or sites.
This is most applicable in education to online exams, where the examination software or website needs to be allowed but all other web content blocked.
What is required?
Firstly, a Walled Garden policy set requires that we can identify who, where or when to apply restrictions the same as any filtering policy. A Walled Garden can be built around one or more of the following Filter Policy elements:
Who: The individual user or user-group to whom the policy applies.
Where: A network location (an IP or range of IPs) that the policy will apply to.
When: A time slot during which the policy will be active.
For example, you may create a Walled Garden which only applies between 12:00 and 13:00 which restricts all users to a handful of available domains, or you may create a Location containing a number of machines that may access only certain categories or specific sites for a specific purpose.
Regarding the 'Who', in many cases, it is not uncommon to have a specific group on the local Windows Domain / LDAP server that users can be made a member of - in this case, mapping directory groups to a purpose-made local group will facilitate user group identification readily.
Secondly, once it is established where, when, or to whom restrictions are to be applied, we need to understand what content should be allowed to the users. This can be achieved by:
- Creating a Category Group that contains the allowed categories for the restricted users.
- Creating a Custom Category that contains the domains they will require access to.
- A combination of both.
Creating a Policy
Creating the Web Filter policy to set up the Walled Garden is best done within a policy folder, so the two policies that make up the set are kept in the correct order and the whole policy stack can be enabled or disabled as required.
See our KB Article - Smoothwall Filter & Firewall: Creating Web Filter Policies.
Ultimately, three filtering policy entries are made:
- The Policy Folder that contains one or more 'parent' objects (the Who, Where, or When).
- A policy to 'Allow' or 'Do Not Filter' the content that is permitted in the What field.
- A policy to Block the 'Everything' category in the What field.
See below an example setup detailing the correct order of policies.
In the absence of a 'Do Not Filter' policy, you may wish to set up another Walled Garden policy set, or single policy, to add or remove HTTPS Inspection for the allowed category or category group.
If the allowed domains pertain to web-enabled software packages installed on client machines, you may also need to consider Authentication Exceptions.
Final Notes on Walled Garden Environments
Care should be taken when setting up a Walled Garden environment to ensure that what websites are ultimately permitted work correctly, and any supporting domains that may host content for the site externally are also allowed through the filter, else sites may not function or present correctly in the browser. Be sure to allow sufficient time for testing of the environment before deploying in a live use scenario.
In cases where a Walled Garden is created to entirely block web access, and this policy is based on a specific user group, take care to ensure the Authentication Exceptions list is correctly vetted, and where possible entirely empty - requests to content in this list may not be grouped in line with the users AD groups (due to the exemption from authentication lookup on the web request) and so may allow content to users who should otherwise be denied it.