Application Control

General information

The IACBOX module Application Control allows logging, restriction or blocking of about 190 different applications and network protocols within the Surf-LAN. This allows to get an overview (log) of the Surf-LAN activities to then restrict (e.g. online streaming) and/or block (e.g. filesharing) different protocols and applications.

TIP

The module Application Control must be licensed separately
Note that the Application Control can cause high CPU usage and therefore requires additional resources, for suggestions refer to the hardware requirements
It is not recommended to enable more then 20 protocols at the same time

Differences between BASIC and PRO

The Application Protocol Module is available in 2 different versions, BASIC and PRO. The main differences will be explained below.

The BASIC Edition consists of following functionality:

Logging, blocking and shaping of over 190 Applications and Protocols
Realtime Reports of current statistics
Up to 20 independent Bandwidth Groups to shape Applications
One global Application Control Profile

The PRO Edition expands all BASIC features with following functionality:

Create unlimited Application Control Profiles and assign them to ticket Templates and VLANs/Routes
Unlimited Bandwidth Groups
Detailed statistics over time for detected and filtered Applications/Protocols
Add custom Applications with custom rules

Configuration

After activating the Application Control in the menu Network/Application Control, navigate into the Profiles Tab and click on the Edit Icon on the right side to open up the Applications/Protocols selection.

In the following pop-up, a sorted list of Applications allows for quick and easy management on a per-group or per-application basis.

An explaination of possible actions per Application/Protocol can be found below:

Drop - Selecting "Drop" for an Application/Protocol means that it will be dropped (silent) without any answer to the requesting client or server.
Reject - This Setting will actively return a Deny (e.g. a TCP Deny).
Shaping - This Setting allows selection of a Bandwidth Group in order to Limit the Bandwidth of one or multiple Appliations/Protocols.

After configuring the standard or a custom profile, it still must be assigned to a Ticket Template, a VLAN or a Route to take effect. To assign Application Control profiles to a Ticket Template, navigate to the WebAdmin menu Users/Tickets/Templates, edit a Template and select the desired Application Control Profile from the dropdown menu.

For VLANs or Routes the same assignment is possible in either Network/VLANs or Network/Routes respectively however Application Control Profiles on a per Route/VLAN basis only work for Login Methods where no Template is being used ( Autologin, Auto pass-through,…)

Use cases

The most common use-cases are listed below:

Restrict the Bandwidth for Streaming sites for free Tickets, while allowing unrestricted access for Paid Tickets
Prevent access to possibly illegal filesharing platforms in public or educational environments
Block a variety of game launchers and social media applications to avoid distraction for children and students in educational environments
Avoid Applications from Updating to save bandwidth on locations with limited internet connection
Block Apple Updates: in order to block/bandwidth shape OS and app updates for Apple devices both applications “Apple Services” and “Apple Store” need to be used. This may also have an impact on other functionality of the devices.

Statistics

BASIC and PRO Version of the Application Control come with several statistics.

Full, sortable graphical Insights can be viewed, filtered, and searched for in the Application Control front page - this is only available for the PRO version.