This manual will explain the functionality and configuration of the module Application Control.
- The module Application Control must be licensed separately.
- Note that the Application Control can cause high CPU usage and therefore requires additional ressources, for suggestions refer to the hardware requirements.
- It is not recommended to enable more then 20 protocols at the same time.
The IACBOX module Application Control allows you to log, restrict or block about 190 different applications and network protocols within the Surf-LAN. This allows you to get an overview (log) of the Surf-LAN activities to then restrict (e.g. online streaming) and/or block (e.g. filesharing) different protocols and applications.
Differences between BASIC and PRO¶
The Application Protocol Module is available in 2 different versions, BASIC and PRO. The main differences will be explained below. First off the BASIC Edition, which consists of following functionality:
- Logging, blocking and shaping of over 190 Applications and Protocols
- Realtime Reports of current statistics
- Up to 20 independent Bandwidth Groups to shape Applications
- One global Application Control Profile
The PRO Edition expands all BASIC features with following functionality:
- Create unlimited Application Control Profiles and assign them to ticket Templates and VLANs/Routes
- Unlimited Bandwidth Groups
- Detailed statistics over time for detected and filtered Applications/Protocols
- Add custom Applications with your own rules
After activating the Application Control in the menu Modules / Application Control, navigate into the Profiles Tab and click on the Edit Icon on the right side to open up the Applications/Protocols selection.
In this selection, in which you can decide to drop, deny or shape specific or whole groups of related entries.
An explaination of possible actions per Application/Protocol can be found below:
- Drop - Selecting “Drop” for an Application/Protocol means that it will be dropped (silent) without any answer to the requesting client or server.
- Reject - This Setting will actively return a Deny (e.g. a TCP Deny).
- Shaping - This Setting allows you to select a Bandwidth Group in order to Limit the Bandwidth of one or multiple Appliations/Protocols.
After configuring the standard or a custom profile, it still must be assigned to a Ticket Template, a VLAN or a Route to take effect. To assign Application Control profiles to a Ticket Template, navigate to the WebAdmin menu Tickets / Templates, edit a Template and select the favoured profile in the “Application Control Profile” dropdown menu. If you did not create a custom profile, then only the default one will be selectable here:
If you want to do this for a whole VLAN or a Route, then the same assingment is possible in either Security / VLANs or Security / Routes. Note that for VLANs and Routes this can only be applied for for Logon Methods which are overridden, like the Autologon or the Auto pass-through, because for regular Tickets the Application Control Assignment is already handled via Ticket Templates.
The most common use-cases are listed below:
- Restrict the Bandwidth for Streaming sites for free Tickets, while allowing undestricted access for Paid Tickets
- Prevent access to possibly illegal filesharing platforms in pulic or educational environments
- Block a variety of game launchers and social media applications to avoid distraction for children and students in educational environments
- Avoid Applications from Updating to save bandwidth on locations with limited internet connection
There are several different statistics, depending on if you own the BASIC or PRO version of the Application Control.
- Full, sortable graphical Insights can be viewed, filtered, and searched for in the Application Control front page - this is only available for the PRO version.
- An overview of what is currently being detected can be viewed on the Application Control WebAdmin page, by navigating into the Tab “Reporting”.
- A generic overview of the last 24 hours can be viewed in the WebAdmin Dashboard