Cisco Cisco Web Security Appliance S170 Guida Utente
E V A L U A T I N G I D E N T I T Y G R O U P M E M B E R S H I P
C H A P T E R 8 : I D E N T I T I E S
147
E V A L U A T I N G I D E N T I T Y G R O U P M E M B E R S H I P
When a client sends a request to a server, the Web Proxy receives the request, evaluates it,
and determines to which Identity group it belongs.
and determines to which Identity group it belongs.
To determine the Identity group that a client request matches, the Web Proxy follows a very
specific process for matching the Identity group membership criteria. During this process, it
considers the following factors for group membership:
specific process for matching the Identity group membership criteria. During this process, it
considers the following factors for group membership:
• Subnet. The client subnet must match the list of subnets in a policy group.
• Protocol. The protocol used in the transaction, either HTTP/HTTPS or native FTP.
• Port. The proxy port of the request must be in the Identity group’s list of ports, if any are
listed. For explicit forward connections, this is the port configured in the browser. For
transparent connections, this is the same as the destination port.
transparent connections, this is the same as the destination port.
You might want to define Identity group membership on the proxy port if you have one set
of clients configured to explicitly forward requests on one port, and another set of clients
configured to explicitly forward requests on a different port.
of clients configured to explicitly forward requests on one port, and another set of clients
configured to explicitly forward requests on a different port.
Note — IronPort recommends only defining Identity group membership by the proxy port
when the appliance is deployed in explicit forward mode, or when clients explicitly
forward requests to the appliance. When you define Identity group membership by the
proxy port when clients requests get transparently redirected to the appliance, some
requests might be erroneously denied.
when the appliance is deployed in explicit forward mode, or when clients explicitly
forward requests to the appliance. When you define Identity group membership by the
proxy port when clients requests get transparently redirected to the appliance, some
requests might be erroneously denied.
• User agent. The user agent making the request must be in the Identity group’s list of user
agents, if any are listed. You might want to group by user agent for user agents that cannot
handle authentication and you want to create an Identity that does not require
authentication.
handle authentication and you want to create an Identity that does not require
authentication.
• URL category. The URL category of the request URL must be in the Identity group’s list of
URL categories, if any are listed. You might want to group by URL destination category if
you create different authentication groups based on URL categories and want to apply
them to users depending on the website categorization.
you create different authentication groups based on URL categories and want to apply
them to users depending on the website categorization.
• Authentication requirements. If the Identity group requires authentication, the client
authentication credentials must match the Identity group’s authentication requirements.
For more information about how authentication works with Identity groups, see “How
Authentication Affects Identity Groups” on page 148.
For more information about how authentication works with Identity groups, see “How
Authentication Affects Identity Groups” on page 148.
The information in this section gives an overview of how the appliance matches client
requests to Identity groups. For more details on exactly how the appliance matches client
requests, see “Matching Client Requests to Identity Groups” on page 152.
requests to Identity groups. For more details on exactly how the appliance matches client
requests, see “Matching Client Requests to Identity Groups” on page 152.
The Web Proxy sequentially reads through each Identity group in the Identity policies table. It
compares the client request status to the membership criteria of the first Identity group. If they
match, the Web Proxy assigns the Identity group to the transaction.
compares the client request status to the membership criteria of the first Identity group. If they
match, the Web Proxy assigns the Identity group to the transaction.