- Silver, 250 points or more
I'm having difficulties setting up somewhat complex web access policies, and just wanted to see if I'm missing anything.
I'm converting from a NetCache web proxy. It allowed me to write specific text based ACLs, that were processed in order.
allow user bill url www.whatever.com
allow user steve category gambling
But now with IronPort web access categories, it appears to not be that simple. Since I have to write a Web Access Policy for each user, I must also apply the entire set of categories to that policy.
So lets say policy #1 is designed to allow some users to banking sites. Policy #2 is designed to allow some users to news sites. And then lastly I have my global policy which defines our categories for everyone.
Policy #1 would Allow banking, and the rest would be set to "use global". Policy #2 would allow news, and the rest would be set to "use global".
If a user is in the group for both policy #1 and policy #2, they would be blocked from news sites. Since they matched policy#1, and it said to use global (which blocked news), they would be blocked. They would never get a chance to match policy#2, which would have allowed them to news sites.
I'm guessing I can solve this using a combination of usernames and "Members Accessing URL Categories" in the policy definition. So I'm about to test that now.
But overall I just wanted to add some feedback that this web access policy seems a bit cumbersome for complex policies. Before if I wanted to allow a single user access to a single site (with a NetCache) it was a one line text statement. Now it appears that it would require a rather complex "web access policy".
Or am I missing something?