Cisco Cisco Web Security Appliance S170 Guía Del Usuario
Chapter 6 Working with Policies
Policy Group Membership
6-12
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
–
A visitor comes to the office and needs to be granted restrictive Internet
access, but is not in the corporate user directory.
access, but is not in the corporate user directory.
For more information on configuring guest access, see
•
Authorization. A user might authenticate correctly, but not be granted access
to the web due to the applicable Access Policy. In this case, you can allow the
user to re-authenticate with more privileged credentials. To do this, enable the
“Enable Re-Authentication Prompt If End User Blocked by URL Category or
User Session Restriction” global authentication setting. For more
information, see
to the web due to the applicable Access Policy. In this case, you can allow the
user to re-authenticate with more privileged credentials. To do this, enable the
“Enable Re-Authentication Prompt If End User Blocked by URL Category or
User Session Restriction” global authentication setting. For more
information, see
.
Working with All Identities
You can create a policy group that specifies “All Identities” as the configured
Identity group. “All Identities” applies to every valid client request because by
definition, every request either succeeds and has a user defined or global Identity
assigned to it or is terminated because it fails authentication (and no guest access
was provided for users failing authentication).
Identity group. “All Identities” applies to every valid client request because by
definition, every request either succeeds and has a user defined or global Identity
assigned to it or is terminated because it fails authentication (and no guest access
was provided for users failing authentication).
When you create a policy group that uses All Identities, you must configure at
least one advanced option to distinguish the policy group from the global policy
group.
least one advanced option to distinguish the policy group from the global policy
group.
Typically, you use All Identities in a policy while also configuring an advanced
option, such as a particular user agent or destination (using a custom URL
category). This allows you to create a single rule that makes an exception for a
specific case instead of creating multiple rules to make the exception for the
specific case. For example, you can create an Access Policy group whose
membership applies to All Identities and a custom URL category for all intranet
pages. Then you can configure the Access Policy control settings to disable
anti-malware filtering and Web Reputation scoring.
option, such as a particular user agent or destination (using a custom URL
category). This allows you to create a single rule that makes an exception for a
specific case instead of creating multiple rules to make the exception for the
specific case. For example, you can create an Access Policy group whose
membership applies to All Identities and a custom URL category for all intranet
pages. Then you can configure the Access Policy control settings to disable
anti-malware filtering and Web Reputation scoring.
Policy Group Membership Rules and Guidelines
Consider the following rules and guidelines when defining policy group
membership:
membership:
•
The Web Proxy evaluates Identity groups before the other policy types.