Cisco Cisco Web Security Appliance S160 Guía Del Usuario
8-4
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 8 Identities
Evaluating Identity Group Membership
You might want to group the following types of users or machines:
•
A group of machine addresses in a test lab. You can create a Routing Policy with this Identity so
requests from these machines are fetched directly from the destination server.
requests from these machines are fetched directly from the destination server.
•
All authenticated users based on the All Realms authentication sequence. You can create a
single Access Policy using this Identity, or you can create a different Access Policy for each
authentication realm and configure different control settings for users in each realm.
single Access Policy using this Identity, or you can create a different Access Policy for each
authentication realm and configure different control settings for users in each realm.
•
Users accessing the Web Security appliance on a particular proxy port. You can create a Routing
Policy using this Identity that fetches content from a particular external proxy for requests that
explicitly connect to the appliance on a particular proxy port.
Policy using this Identity that fetches content from a particular external proxy for requests that
explicitly connect to the appliance on a particular proxy port.
•
All subnets trying to access a website in a user defined URL category do not require
authentication. You can create an Access Policy using this Identity to exempt requests to particular
destinations from authentication. You might want to do this for Windows update servers.
authentication. You can create an Access Policy using this Identity to exempt requests to particular
destinations from authentication. You might want to do this for Windows update servers.
Define Identities on the Web Security Manager > Identities page. For more information about creating
Identities, see
Identities, see
.
Evaluating Identity Group Membership
When a client sends a request to a server, the Web Proxy receives the request, evaluates it, and determines
to which Identity group it belongs.
to which Identity group it belongs.
To determine the Identity group that a client request matches, the Web Proxy follows a very specific
process for matching the Identity group membership criteria. During this process, it considers the
following factors for group membership:
process for matching the Identity group membership criteria. During this process, it considers the
following factors for group membership:
•
Subnet. The client subnet must match the list of subnets in a policy group.
•
Protocol. The protocol used in the transaction, either HTTP, HTTPS, SOCKS, or native FTP.
•
Port. The proxy port of the request must be in the Identity group’s list of ports, if any are listed. For
explicit forward connections, this is the port configured in the browser. For transparent connections,
this is the same as the destination port.
explicit forward connections, this is the port configured in the browser. For transparent connections,
this is the same as the destination port.
You might want to define Identity group membership on the proxy port if you have one set of clients
configured to explicitly forward requests on one port, and another set of clients configured to
explicitly forward requests on a different port.
configured to explicitly forward requests on one port, and another set of clients configured to
explicitly forward requests on a different port.
•
User agent. The user agent making the request must be in the Identity group’s list of user agents, if
any are listed. You might want to group by user agent for user agents that cannot handle
authentication and you want to create an Identity that does not require authentication.
any are listed. You might want to group by user agent for user agents that cannot handle
authentication and you want to create an Identity that does not require authentication.
•
URL category. The URL category of the request URL must be in the Identity group’s list of URL
categories, if any are listed. You might want to group by URL destination category if you create
different authentication groups based on URL categories and want to apply them to users depending
on the website categorization.
categories, if any are listed. You might want to group by URL destination category if you create
different authentication groups based on URL categories and want to apply them to users depending
on the website categorization.
•
Authentication requirements. If the Identity group requires authentication, the client
authentication credentials must match the Identity group’s authentication requirements. For more
information about how authentication works with Identity groups, see
authentication credentials must match the Identity group’s authentication requirements. For more
information about how authentication works with Identity groups, see
The information in this section gives an overview of how the appliance matches client requests to
Identity groups. For more details on exactly how the appliance matches client requests, see
Identity groups. For more details on exactly how the appliance matches client requests, see
.