Recommended group structure

Web Gateway and UTM have a powerful grouping mechanism, with groups organised into a tree, and users, networks and individual computers assigned to one or more of the groups. Settings, such as web or mail filtering, permissions, etc. can be set on each group and by default are inherited by the groups, users and networks within. Please refer to the group inheritance knowledgebase article for more in depth information about how group inheritance works. This configuration can be found under the Users & Groups tab.

There are very few restrictions placed on the groups and you are therefore free to arrange the groups as you wish, but the recommendations below provide a good starting point and are formed by many years of experience. This is a typical structure for a secondary school:

  • GROUP: Everyone
    • GROUP: Administrators
    • GROUP: Anonymous
    • GROUP: Networks
      • NETWORK: 10.0.0.0/8
      • GROUP: Staff wifi
        • NETWORK: 10.1.0.0/16
      • GROUP: Student wifi
        • NETWORK: 10.2.0.0/16
      • GROUP: Guest wifi
        • NETWORK: 10.1.0.0/16
      • GROUP: Trusted email senders
        • NETWORK: 10.254.254.5/32
        • NETWORK: 10.254.254.23/32
    • GROUP: Staff
    • GROUP: Students
      • GROUP: Lower school
        • GROUP: Year7
        • GROUP: Year8
        • GROUP: Year9
      • GROUP: Upper school
        • GROUP: Year10
        • GROUP: Year11
      • GROUP: Sixth form
        • GROUP: Year12
        • GROUP: Year13

There are a few special groups - Everyone is always at the root of the tree. Users within the Administrators group have administrative access to the system. The Anonymous group is also a special case and is used in situations where no other groups are applicable. Typically the Administrators group just contains a single user called administrator and the Anonymous group is left empty.

Whilst there are no restrictions regarding mixing users and networks within a group, we recommend keeping them separate in most cases, and the Networks group is a convenient place to put your networks. Using the Create Network button, create network objects directly within the Networks group for your entire LAN. Often this will be a single entry for 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16, but some schools may have more complex networks that require multiple network objects to be created. In the example above, we have defined a single 10.0.0.0/8 network.

You can create subgroups for specific parts of your network. In the example above, we have created groups Staff wifi, Student wifi and Guest wifi and added an appropriate network within each. This allows us to set specific configuration for those networks. For example, in the web proxy module, we may disable authentication and active HTTPS interception for Guest wifi, or set the proxy's authentication profile to Single user devices for Staff wifi and Student wifi. We have also created a Trusted mail senders group that can be used to turn off the mail server's authentication for specific devices.

If your network is divided into subnets geographically - e.g. a separate subnet for each classroom - configuring each subnet here will also allow you to use Virtual Groups to apply custom configuration based on location. For example, you may want to relax the filtering in locations which will always be supervised.

The remaining groups will contain your users. Some schools may choose to create subgroups within the Staff group in order to subdivide the staff, whilst prep schools often organise all of the students under a single Students group rather than dividing them into year groups. There is a balance to be struck between the flexibility of a group tree that is subdivided into many groups versus the management overhead of maintaining that structure, and this will vary from school to school.