Application Control

General information

The IACBOX module Application Control allows you to log, restrict or block about 190 different applications and network protocols within the Surf-LAN. This allows you to get an overview (log) of the Surf-LAN activities to then restrict (e.g. online streaming) and/or block (e.g. filesharing) different protocols and applications.

Hint:

The module Application Control must be licensed separately.
Note that the Application Control can cause high CPU usage and therefore requires additional resources, for suggestions refer to the hardware requirements.
It is not recommended to enable more then 20 protocols at the same time.

Differences between BASIC and PRO

The Application Protocol Module is available in 2 different versions, BASIC and PRO. The main differences will be explained below. First off the BASIC Edition, which consists of following functionality:

Logging, blocking and shaping of over 190 Applications and Protocols
Realtime Reports of current statistics
Up to 20 independent Bandwidth Groups to shape Applications
One global Application Control Profile

The PRO Edition expands all BASIC features with following functionality:

Create unlimited Application Control Profiles and assign them to ticket Templates and VLANs/Routes
Unlimited Bandwidth Groups
Detailed statistics over time for detected and filtered Applications/Protocols
Add custom Applications with your own rules

Configuration

After activating the Application Control in the menu Network/Application Control, navigate into the Profiles Tab and click on the Edit Icon on the right side to open up the Applications/Protocols selection.

In this selection, in which you can decide to drop, deny or shape specific or whole groups of related entries.

An explaination of possible actions per Application/Protocol can be found below:

Drop - Selecting "Drop" for an Application/Protocol means that it will be dropped (silent) without any answer to the requesting client or server.
Reject - This Setting will actively return a Deny (e.g. a TCP Deny).
Shaping - This Setting allows you to select a Bandwidth Group in order to Limit the Bandwidth of one or multiple Appliations/Protocols.

After configuring the standard or a custom profile, it still must be assigned to a Ticket Template, a VLAN or a Route to take effect. To assign Application Control profiles to a Ticket Template, navigate to the WebAdmin menu Users/Tickets/Templates, edit a Template and select the favoured profile in the "Application Control Profile" dropdown menu. If you did not create a custom profile, then only the default one will be selectable here:

If you want to do this for a whole VLAN or a Route, then the same assignment is possible in either Network/VLANs or Network/Routes. Note that for VLANs and Routes this can only be applied for for Login Methods which are overridden, like the Autologin or the Auto pass-through, because for regular Tickets the Application Control Assignment is already handled via Ticket Templates.

Use cases

The most common use-cases are listed below:

Restrict the Bandwidth for Streaming sites for free Tickets, while allowing unrestricted access for Paid Tickets
Prevent access to possibly illegal filesharing platforms in public or educational environments
Block a variety of game launchers and social media applications to avoid distraction for children and students in educational environments
Avoid Applications from Updating to save bandwidth on locations with limited internet connection
Block Apple Updates: in order to block/bandwidth shape OS and app updates for Apple devices both applications “Apple Services” and “Apple Store” need to be used. This may also have an impact on other functionality of the devices.

Statistics

There are several different statistics, depending on if you own the BASIC or PRO version of the Application Control.

Full, sortable graphical Insights can be viewed, filtered, and searched for in the Application Control front page - this is only available for the PRO version.