Cisco Cisco Web Security Appliance S190 Guía Del Usuario
10-27
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
Chapter 10 Decryption Policies
Evaluating Decryption Policy Group Membership
Evaluating Decryption Policy Group Membership
After the Web Proxy assigns an Identity to a client request, it evaluates the request
against the other policy types to determine which policy group it belongs for each
type. When the HTTPS Proxy is enabled, it applies HTTPS requests against the
Decryption Policies. When the HTTPS Proxy is not enabled, it evaluates HTTP
requests against the Access Policies.
against the other policy types to determine which policy group it belongs for each
type. When the HTTPS Proxy is enabled, it applies HTTPS requests against the
Decryption Policies. When the HTTPS Proxy is not enabled, it evaluates HTTP
requests against the Access Policies.
When an HTTPS request gets decrypted, the Web Proxy evaluates the decrypted
request against the Access Policies. For more information about how the Web
Proxy evaluates Access Policies, see
request against the Access Policies. For more information about how the Web
Proxy evaluates Access Policies, see
.
The Web Proxy applies the configured policy control settings to a client request
based on the client request’s policy group membership.
based on the client request’s policy group membership.
To determine the policy group that a client request matches, the Web Proxy
follows a specific process for matching the group membership criteria. During
this process, it considers the following factors for group membership:
follows a specific process for matching the group membership criteria. During
this process, it considers the following factors for group membership:
•
Identity. Each client request either matches an Identity, fails authentication
and is granted guest access, or fails authentication and gets terminated. For
more information about evaluating Identity group membership, see
and is granted guest access, or fails authentication and gets terminated. For
more information about evaluating Identity group membership, see
.
•
Authorized users. If the assigned Identity requires authentication, the user
must be in the list of authorized users in the Decryption Policy group to match
the policy group.
must be in the list of authorized users in the Decryption Policy group to match
the policy group.
•
Advanced options. You can configure several advanced options for
Decryption Policy group membership. Some of the options (such as proxy
port, and URL category) can also be defined within the Identity. When an
advanced option is configured in the Identity, it is not configurable in the
Decryption Policy group level.
Decryption Policy group membership. Some of the options (such as proxy
port, and URL category) can also be defined within the Identity. When an
advanced option is configured in the Identity, it is not configurable in the
Decryption Policy group level.
The information in this section gives an overview of how the appliance matches
client requests to Decryption Policy groups. For more details about exactly how
the appliance matches client requests, see
client requests to Decryption Policy groups. For more details about exactly how
the appliance matches client requests, see
.
The Web Proxy sequentially reads through each policy group in the policies table.
It compares the client request status to the membership criteria of the first policy
group. If they match, the Web Proxy applies the policy settings of that policy
group.
It compares the client request status to the membership criteria of the first policy
group. If they match, the Web Proxy applies the policy settings of that policy
group.