Cisco Cisco Web Security Appliance S170 Guia Do Utilizador
12-19
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 12 Decryption Policies
Evaluating Decryption Policy Group Membership
•
All other error types. Most other error types are due to the appliance not being able to complete
the SSL handshake with the HTTPS server. For more information about additional error scenarios
for server certificates, see http://www.openssl.org/docs/apps/verify.html.
the SSL handshake with the HTTPS server. For more information about additional error scenarios
for server certificates, see http://www.openssl.org/docs/apps/verify.html.
Note
When a certificate is both expired and has an unrecognized root authority, the Web Security
appliance performs the action specified for an unrecognized root authority.
appliance performs the action specified for an unrecognized root authority.
For more information about handling invalid server certificates, see
.
Step 11
Submit and commit your changes.
Evaluating Decryption Policy Group Membership
After the Web Proxy assigns an Identity to a client request, it evaluates the request against the other
policy types to determine which policy group it belongs for each type. When the HTTPS Proxy is
enabled, it applies HTTPS requests against the Decryption Policies. When the HTTPS Proxy is not
enabled, it evaluates HTTP requests against the Access Policies.
policy types to determine which policy group it belongs for each type. When the HTTPS Proxy is
enabled, it applies HTTPS requests against the Decryption Policies. When the HTTPS Proxy is not
enabled, it evaluates HTTP requests against the Access Policies.
When an HTTPS request gets decrypted, the Web Proxy evaluates the decrypted request against the
Access Policies. For more information about how the Web Proxy evaluates Access Policies, see
Access Policies. For more information about how the Web Proxy evaluates Access Policies, see
The Web Proxy applies the configured policy control settings to a client request based on the client
request’s policy group membership.
request’s policy group membership.
To determine the policy group that a client request matches, the Web Proxy follows a specific process
for matching the group membership criteria. During this process, it considers the following factors for
group membership:
for matching the group membership criteria. During this process, it considers the following factors for
group membership:
•
Identity. Each client request either matches an Identity, fails authentication and is granted guest
access, or fails authentication and gets terminated. For more information about evaluating Identity
group membership, see
access, or fails authentication and gets terminated. For more information about evaluating Identity
group membership, see
.
•
Authorized users. If the assigned Identity requires authentication, the user must be in the list of
authorized users in the Decryption Policy group to match the policy group.
authorized users in the Decryption Policy group to match the policy group.
•
Advanced options. You can configure several advanced options for Decryption Policy group
membership. Some of the options (such as proxy port, and URL category) can also be defined within
the Identity. When an advanced option is configured in the Identity, it is not configurable in the
Decryption Policy group level.
membership. Some of the options (such as proxy port, and URL category) can also be defined within
the Identity. When an advanced option is configured in the Identity, it is not configurable in the
Decryption Policy group level.
The information in this section gives an overview of how the appliance matches client requests to
Decryption Policy groups. For more details about exactly how the appliance matches client requests, see
Decryption Policy groups. For more details about exactly how the appliance matches client requests, see
The Web Proxy sequentially reads through each policy group in the policies table. It compares the client
request status to the membership criteria of the first policy group. If they match, the Web Proxy applies
the policy settings of that policy group.
request status to the membership criteria of the first policy group. If they match, the Web Proxy applies
the policy settings of that policy group.
If they do not match, the Web Proxy compares the client request to the next policy group. It continues
this process until it matches the client request to a user defined policy group. If it does not match a user
defined policy group, it matches the global policy group. When the Web Proxy matches the client request
to a policy group or the global policy group, it applies the policy settings of that policy group.
this process until it matches the client request to a user defined policy group. If it does not match a user
defined policy group, it matches the global policy group. When the Web Proxy matches the client request
to a policy group or the global policy group, it applies the policy settings of that policy group.