Cisco Cisco Web Security Appliance S660 Guida Utente
C R E A T I N G A C C E S S P O L I C I E S
C H A P T E R 8 : A C C E S S P O L I C I E S
155
7. To define policy group membership by any of the advanced options, click the link for the
advanced option and configure the option on the page that appears.
Table 8-1 describes the advanced options you can configure for Access Policy groups.
Table 8-1 Access Policy Group Advanced Options
Advanced Option
Description
Protocols
Choose whether or not to define policy group membership by the
protocol used in the client request. Select the protocols to include.
“All others” means any protocol not listed above this option.
Note: When HTTPS scanning is enabled, only Decryption Policies apply
to HTTPS transactions. You cannot define policy membership by the
HTTPS protocol for Access, Routing, or IronPort Data Security Policies.
protocol used in the client request. Select the protocols to include.
“All others” means any protocol not listed above this option.
Note: When HTTPS scanning is enabled, only Decryption Policies apply
to HTTPS transactions. You cannot define policy membership by the
HTTPS protocol for Access, Routing, or IronPort Data Security Policies.
Proxy Ports
Choose whether or not to define policy group membership by the proxy
port used to access the Web Proxy. Enter one or more port numbers in
the Proxy Ports field. Separate multiple ports with commas.
For explicit forward connections, this is the port configured in the
browser. For transparent connections, this is the same as the destination
port. You might want to define policy group membership on the proxy
port if you have one set of clients configured to explicitly forward
requests on one port, and another set of clients configured to explicitly
forward requests on a different port.
IronPort recommends only defining policy group membership by the
proxy port when the appliance is deployed in explicit forward mode, or
when clients explicitly forward requests to the appliance. When you
define policy group membership by the proxy port when client requests
get transparently redirected to the appliance, some requests might be
denied.
Note: If the Identity associated with this policy group defines Identity
membership by this advanced setting, the setting is not configurable at
the non-Identity policy group level.
port used to access the Web Proxy. Enter one or more port numbers in
the Proxy Ports field. Separate multiple ports with commas.
For explicit forward connections, this is the port configured in the
browser. For transparent connections, this is the same as the destination
port. You might want to define policy group membership on the proxy
port if you have one set of clients configured to explicitly forward
requests on one port, and another set of clients configured to explicitly
forward requests on a different port.
IronPort recommends only defining policy group membership by the
proxy port when the appliance is deployed in explicit forward mode, or
when clients explicitly forward requests to the appliance. When you
define policy group membership by the proxy port when client requests
get transparently redirected to the appliance, some requests might be
denied.
Note: If the Identity associated with this policy group defines Identity
membership by this advanced setting, the setting is not configurable at
the non-Identity policy group level.
Subnets
Choose whether or not to define policy group membership by subnet or
other addresses.
You can choose to use the addresses that may be defined with the
associated Identity, or you can enter specific addresses here.
Note: If the Identity associated with this policy group defines its
membership by addresses, then in this policy group you must enter
addresses that are a subset of the Identity’s addresses. Adding addresses
in the policy group further narrows down the list of transactions that
match this policy group.
other addresses.
You can choose to use the addresses that may be defined with the
associated Identity, or you can enter specific addresses here.
Note: If the Identity associated with this policy group defines its
membership by addresses, then in this policy group you must enter
addresses that are a subset of the Identity’s addresses. Adding addresses
in the policy group further narrows down the list of transactions that
match this policy group.