Cisco Cisco Web Security Appliance S170 Guía Del Usuario
E V A L U A T I N G D E C R Y P T I O N P O L I C Y G R O U P M E M B E R S H I P
C H A P T E R 1 0 : D E C R Y P T I O N P O L I C I E S
201
E V A L U A T I N G D E C R Y P T I O N PO L I C Y G R O U P M E M B E R S H I P
After the Web Proxy assigns an Identity to a client request, it evaluates the request against the
other policy types to determine which policy group it belongs for each type. When HTTPS
scanning is enabled, it applies HTTPS requests against the Decryption Policies. When HTTPS
scanning is not enabled, it evaluates HTTP requests against the Access Policies.
other policy types to determine which policy group it belongs for each type. When HTTPS
scanning is enabled, it applies HTTPS requests against the Decryption Policies. When HTTPS
scanning is not enabled, it evaluates HTTP requests against the Access Policies.
When an HTTPS request gets decrypted, the Web Proxy evaluates the decrypted request
against the Access Policies. For more information about how the Web Proxy evaluates Access
Policies, see “Evaluating Access Policy Group Membership” on page 152.
against the Access Policies. For more information about how the Web Proxy evaluates Access
Policies, see “Evaluating Access Policy Group Membership” on page 152.
The Web Proxy applies the configured policy control settings to a client request based on the
client request’s policy group membership.
client request’s policy group membership.
To determine the policy group that a client request matches, the Web Proxy follows a very
specific process for matching the group membership criteria. During this process, it considers
the following factors for group membership:
specific process for matching the group membership criteria. During this process, it considers
the following factors for group membership:
• Identity. Each client request either matches an Identity, fails authentication and is granted
guest access, or fails authentication and gets terminated. For more information about
evaluating Identity group membership, see “Evaluating Identity Group Membership” on
page 127.
evaluating Identity group membership, see “Evaluating Identity Group Membership” on
page 127.
• Authorized users. If the assigned Identity requires authentication, the user must be in the
list of authorized users in the Decryption Policy group to match the policy group.
• Advanced options. You can configure several advanced options for Decryption Policy
group membership. Some of the options (such as proxy port, and URL category) can also
be defined within the Identity. When an advanced option is configured in the Identity, it is
not configurable in the Decryption Policy group level.
be defined within the Identity. When an advanced option is configured in the Identity, it is
not configurable in the Decryption Policy group level.
The information in this section gives an overview of how the appliance matches client
requests to Decryption Policy groups. For more details about exactly how the appliance
matches client requests, see “Matching Client Requests to Decryption Policy Groups” on
page 201.
requests to Decryption Policy groups. For more details about exactly how the appliance
matches client requests, see “Matching Client Requests to Decryption Policy Groups” on
page 201.
The Web Proxy sequentially reads through each policy group in the policies table. It
compares the client request status to the membership criteria of the first policy group. If they
match, the Web Proxy applies the policy settings of that policy group.
compares the client request status to the membership criteria of the first policy group. If they
match, the Web Proxy applies the policy settings of that policy group.
If they do not match, the Web Proxy compares the client request to the next policy group. It
continues this process until it matches the client request to a user defined policy group, or if it
does not match a user defined policy group, it matches the global policy group. When the
Web Proxy matches the client request to a policy group or the global policy group, it applies
the policy settings of that policy group.
continues this process until it matches the client request to a user defined policy group, or if it
does not match a user defined policy group, it matches the global policy group. When the
Web Proxy matches the client request to a policy group or the global policy group, it applies
the policy settings of that policy group.
Matching Client Requests to Decryption Policy Groups
Figure 10-7 on page 202 shows how the Web Proxy evaluates a client request against the
Decryption Policy groups.
Decryption Policy groups.