Cisco Cisco Web Security Appliance S170 사용자 가이드
172
I R O N P O R T A S Y N C O S 6 . 5 F O R W E B U S E R G U I D E
E V A L U A T I N G A C C E S S PO L I C Y G R O U P M E M B E R S H I P
After the Web Proxy assigns an Identity to a client request, the Web Proxy evaluates the
request against the other policy types to determine which policy group it belongs for each
type. When the HTTPS Proxy is enabled, the Web Proxy applies HTTP and decrypted HTTPS
requests against the Access Policies. When the HTTPS Proxy is not enabled, by default, the
Web Proxy evaluates HTTP and all HTTPS requests against the Access Policies.
request against the other policy types to determine which policy group it belongs for each
type. When the HTTPS Proxy is enabled, the Web Proxy applies HTTP and decrypted HTTPS
requests against the Access Policies. When the HTTPS Proxy is not enabled, by default, the
Web Proxy evaluates HTTP and all HTTPS requests against the Access Policies.
The Web Proxy applies the configured policy control settings to a client request based on the
client request’s policy group membership.
client request’s policy group membership.
To determine the policy group that a client request matches, the Web Proxy follows a very
specific process for matching the group membership criteria. During this process, it considers
the following factors for group membership:
specific process for matching the group membership criteria. During this process, it considers
the following factors for group membership:
• Identity. Each client request either matches an Identity, fails authentication and is granted
guest access, or fails authentication and gets terminated. For more information about
evaluating Identity group membership, see “Evaluating Identity Group Membership” on
page 147.
evaluating Identity group membership, see “Evaluating Identity Group Membership” on
page 147.
• Authorized users. If the assigned Identity requires authentication, the user must be in the
list of authorized users in the Access Policy group to match the policy group. The list of
authorized users can be any of the specified groups or users or guest users if the Identity
allows guest access.
authorized users can be any of the specified groups or users or guest users if the Identity
allows guest access.
• Advanced options. You can configure several advanced options for Access Policy group
membership. Some of the options (such as proxy port, and URL category) can also be
defined within the Identity. When an advanced option is configured in the Identity, it is
not configurable in the Access Policy group level.
defined within the Identity. When an advanced option is configured in the Identity, it is
not configurable in the Access Policy group level.
The information in this section gives an overview of how the Web Proxy matches client
requests to Access Policy groups. For more details about exactly how the Web Proxy matches
client requests, see “Matching Client Requests to Access Policy Groups” on page 172.
requests to Access Policy groups. For more details about exactly how the Web Proxy matches
client requests, see “Matching Client Requests to Access Policy Groups” on page 172.
The Web Proxy sequentially reads through each policy group in the policies table. It
compares the client request status to the membership criteria of the first policy group. If they
match, the Web Proxy applies the policy settings of that policy group.
compares the client request status to the membership criteria of the first policy group. If they
match, the Web Proxy applies the policy settings of that policy group.
If they do not match, the Web Proxy compares the client request to the next policy group. It
continues this process until it matches the client request to a user defined policy group, or if it
does not match a user defined policy group, it matches the global policy group. When the
Web Proxy matches the client request to a policy group or the global policy group, it applies
the policy settings of that policy group.
continues this process until it matches the client request to a user defined policy group, or if it
does not match a user defined policy group, it matches the global policy group. When the
Web Proxy matches the client request to a policy group or the global policy group, it applies
the policy settings of that policy group.
Matching Client Requests to Access Policy Groups
Figure 9-1 on page 173 shows how the Web Proxy evaluates a client request against the
Access Policy groups.
Access Policy groups.