Cisco Cisco Web Security Appliance S170 사용자 가이드
150
I R O N P O R T A S Y N C O S 6 . 3 F O R W E B U S E R G U I D E
A C C E S S PO L I C I E S O V E R V I E W
AsyncOS for Web uses multiple web security features in conjunction with its Web Proxy and
DVS engine to control web traffic, protect networks from web-based threats, and enforce
organization acceptable use policies. You can define policies that determine which HTTP
connections are allowed and blocked.
DVS engine to control web traffic, protect networks from web-based threats, and enforce
organization acceptable use policies. You can define policies that determine which HTTP
connections are allowed and blocked.
To configure the appliance to handle HTTP requests, perform the following tasks:
1. Enable the Web Proxy. To allow or block HTTP traffic, you must first enable the Web
Proxy. Usually, the Web Proxy is enabled during the initial setup using the System Setup
Wizard. For more information, see “Configuring the Web Proxy” on page 70.
Wizard. For more information, see “Configuring the Web Proxy” on page 70.
2. Create and configure Access Policy groups. After the Web Proxy is enabled, you create
and configure Access Policy groups to determine how to handle each request from each
user. For more information, see “Access Policy Groups” on page 150.
user. For more information, see “Access Policy Groups” on page 150.
Access Policy Groups
Access Policies define how the Web Proxy handles HTTP GET requests and decrypted HTTPS
connections for network users. You can apply different actions to specified groups of users.
You can also specify which ports the Web Proxy monitors for HTTP transactions.
connections for network users. You can apply different actions to specified groups of users.
You can also specify which ports the Web Proxy monitors for HTTP transactions.
Note — HTTP PUT and POST requests are handled by IronPort Data Security and External
DLP Policies. For more information, see “Data Security and External DLP Policies Overview”
on page 214.
DLP Policies. For more information, see “Data Security and External DLP Policies Overview”
on page 214.
When the Web Proxy receives an HTTP request on a monitored port or a decrypted HTTPS
connection, it compares the request to the Access Policy groups to determine which Access
Policy group to apply. After it assigns the request to an Access Policy group, it can determine
what to do with the request. For more information about evaluating policy group
membership, see “Policy Group Membership” on page 113.
connection, it compares the request to the Access Policy groups to determine which Access
Policy group to apply. After it assigns the request to an Access Policy group, it can determine
what to do with the request. For more information about evaluating policy group
membership, see “Policy Group Membership” on page 113.
The Web Proxy can perform any of the following actions on an HTTP request or decrypted
HTTPS connection:
HTTPS connection:
• Allow. The Web Proxy permits the connection without interruption. Allowed connections
may not have been scanned by the DVS engine.
• Block. The Web Proxy does not permit the connection and instead displays an end user
notification page explaining the reason for the block.
• Redirect. The Web Proxy does not allow the connection to the originally requested
destination server and instead connects to a different specified URL. You might want to
redirect traffic at the appliance if your organization published the links to an internal site,
but the location of the site changed since publication, or if you do not have control over
the web server. For more information about redirecting traffic, see “Redirecting Traffic” on
page 284.
redirect traffic at the appliance if your organization published the links to an internal site,
but the location of the site changed since publication, or if you do not have control over
the web server. For more information about redirecting traffic, see “Redirecting Traffic” on
page 284.