Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
417
Views
0
Helpful
0
Replies

Access Policies best practices

Josh H
Level 1
Level 1

‎08-23-2015 05:18 AM

Hello, I have a few questions about best practices for Access Policies.

This will be deployed as explicit proxy.  I have my Global Identity tied to NTLM auth and another identity for Windows Updates, determined by destination URLs.

I have set my Block/Monitor categories in Global Access Policy, as well as created custom categories "Blocked sites of approved categories" and an "Approved sites of blocked categories" which are included in my Global Access Policy and checked appropriately.

Some AD users or groups will be granted elevated privileges, for example I need to allow johndoe to go to amazon.com while allowing marysmith to go to ebay.com.  The IT AD group will also have access to streaming video category.

I understand that Access Policies are processed top down and stop when a match is found.

So far I have created a custom category such as johndoe.allow, listing the sites they have access to.  Then I added an Access Policy for johndoe found in any identity and chose Advanced > URL Categories and chose the johndoe.allow category in the Advanced Membership Definition.

When I setup the access policy for the IT AD group, I did not click Advanced > URL Categories in the policy, but on the list of policies clicked on the section for URL Filtering and chose the appropriate categories.

Questions:

  1. How does choosing a category in Advanced > URL Categories inside a policy differ from the URL Filtering section in the list of policies?
  2. What is the best order to place Access Policies in, if a user may be part of an AD group?  So far I have users then AD groups.  I need johndoe to end up with his individual access, as well as his AD group's access, if possible.
  3. Is my approach of creating a custom category for each user flawed?  Instead should I have created an amazon.com category, an ebay.com category, and given users access to those as needed?
  4. We have a Shoppers AD group which we place people in to give them Shopping category.  These staff are from all different parts of the company so I can't set any other specific access based on that, just need to add Shopping to any other access they may get from other AD group or Global.

 

Thank you for reading and offering any insight.

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents