Cisco Cisco Web Security Appliance S360 Guía Del Usuario
Chapter 7 Identities
Evaluating Identity Group Membership
7-2
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
Identities are the only policy where you define whether or not authentication is
required to access the web. However, Identities do not specify a list of users who
are authorized (allowed) to access the web. You specify authorized users in the
other (non-Identity) policy types.
required to access the web. However, Identities do not specify a list of users who
are authorized (allowed) to access the web. You specify authorized users in the
other (non-Identity) policy types.
All other policy types use an Identity as the basis to determine which policy group
applies to the transaction. That means you can create a single Identity and use it
multiple times in the non-Identity policy groups.
applies to the transaction. That means you can create a single Identity and use it
multiple times in the non-Identity policy groups.
You might want to group the following types of users or machines:
•
A group of machine addresses in a test lab. You can create a Routing Policy
with this Identity so requests from these machines are fetched directly from
the destination server.
with this Identity so requests from these machines are fetched directly from
the destination server.
•
All authenticated users based on the All Realms authentication sequence.
You can create a single Access Policy using this Identity, or you can create a
different Access Policy for each authentication realm and configure different
control settings for users in each realm.
You can create a single Access Policy using this Identity, or you can create a
different Access Policy for each authentication realm and configure different
control settings for users in each realm.
•
Users accessing the Web Security appliance on a particular proxy port.
You can create a Routing Policy using this Identity that fetches content from
a particular external proxy for requests that explicitly connect to the
appliance on a particular proxy port.
You can create a Routing Policy using this Identity that fetches content from
a particular external proxy for requests that explicitly connect to the
appliance on a particular proxy port.
•
All subnets trying to access a website in a user defined URL category do
not require authentication. You can create an Access Policy using this
Identity to exempt requests to particular destinations from authentication.
You might want to do this for Windows update servers.
not require authentication. You can create an Access Policy using this
Identity to exempt requests to particular destinations from authentication.
You might want to do this for Windows update servers.
Define Identities on the Web Security Manager > Identities page. For more
information about creating Identities, see
information about creating Identities, see
.
Evaluating Identity Group Membership
When a client sends a request to a server, the Web Proxy receives the request,
evaluates it, and determines to which Identity group it belongs.
evaluates it, and determines to which Identity group it belongs.
To determine the Identity group that a client request matches, the Web Proxy
follows a very specific process for matching the Identity group membership
criteria. During this process, it considers the following factors for group
membership:
follows a very specific process for matching the Identity group membership
criteria. During this process, it considers the following factors for group
membership:
•
Subnet. The client subnet must match the list of subnets in a policy group.