cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
889
Views
0
Helpful
5
Replies

Web Access Policies

thomascollins
Level 3
Level 3

I'm having difficulties setting up somewhat complex web access policies, and just wanted to see if I'm missing anything.

I'm converting from a NetCache web proxy. It allowed me to write specific text based ACLs, that were processed in order.

For example
allow user bill url www.whatever.com
allow user steve category gambling

But now with IronPort web access categories, it appears to not be that simple. Since I have to write a Web Access Policy for each user, I must also apply the entire set of categories to that policy.

So lets say policy #1 is designed to allow some users to banking sites. Policy #2 is designed to allow some users to news sites. And then lastly I have my global policy which defines our categories for everyone.

Policy #1 would Allow banking, and the rest would be set to "use global". Policy #2 would allow news, and the rest would be set to "use global".

If a user is in the group for both policy #1 and policy #2, they would be blocked from news sites. Since they matched policy#1, and it said to use global (which blocked news), they would be blocked. They would never get a chance to match policy#2, which would have allowed them to news sites.

I'm guessing I can solve this using a combination of usernames and "Members Accessing URL Categories" in the policy definition. So I'm about to test that now.

But overall I just wanted to add some feedback that this web access policy seems a bit cumbersome for complex policies. Before if I wanted to allow a single user access to a single site (with a NetCache) it was a one line text statement. Now it appears that it would require a rather complex "web access policy".

Or am I missing something?

5 Replies 5

jowolfer
Level 1
Level 1

You are correct that for this type of policy, you would need to specify a policy group for each user individually, instead of the way you were doing it with the netcache.

We're always looking for feed back on how to make the WSA better. I've forwarded this post to our product management team. Please inform your sales representative of this as well.

angfeglandagan
Level 1
Level 1

Yup..individual policies should be defined..

I tried S650 with 75 policies to date..and it works perfectly fine..

The firmware should be the latest...to avoid crawling up...on the appliance

I beleive that we have acheived what you are refering to on our s650 with the existing policy sets. Our web access policies read something along the lines of "Allow downloads", "allow web based email", "Allow Custom Facebook", with each of these policies having their categories set accordingly.

Each policy is tied to an AD group. If I place a user in two groups, such as "Allow Downloads" and "Allow Web Based Email", they can get to both categories. Is this what you are trying to achieve?

The doco states that the policy list processes like and ACL and "jumps out" at the first match. However, if you find the flow chart for policy matching I think you'll find that it actually matches on "site trying to access" first, rather than "is this user in this policy". This confused me for some time too ...

If this is what you're looking to set up, I can elaborate on how we've done it if you like?

I am curious if this setup really works. I cant seem to get my head around it. If I follow this... there are 2 policies set up, one for Webmail and one for Facebook, both with AD groups. So if user A is in the webmail AD group, that rule would be satisfied and they would have access to webmail. So far so good... but what if user A is in the AD webmail AND facebook group, when user A went to facebook wouldnt the first policy be true and deny access?

JennieMorton
Level 1
Level 1

Don't forget that the first thing the WSA matches on are the Identities. The request is assigned the first Identity that it matches. Then the Access Policies are evaluated, and the first Access Policy that has that Identity and configured user or user group is the policy defined. So the order of your policies matters. If you have multiple policies (either Identities or Access Policies) that apply to a particular user, only the topmost one will ever match.

As for the flow charts, make sure to pay attention to which flow chart you're looking at. For each policy type, there is one for policy membership, and then another for control settings (what we do to the request). Membership is always determined first, and then once which policy is matched, the appropriate control settings are applied.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: