topic deny Access to all in Web Security

deny Access to all

iske_2 — Tue, 25 Oct 2011 13:10:41 GMT

Hi,

I've managed to add an Identity ldap and an Access Policy that requires authentication of Members in the group cn=internet.

If a User is NOT in group cn=internet but exists in LDAP, the User is getting Internet access. I need to disable Internet Access to all

Users NOT in Group cn=internet.

Trace is: DETAILS: DefaultGroup "Access"

How do I disable Access for the DefaultGroup ? I can't find a DefaultGroup anywhere.

Thank You

Uli

Re: deny Access to all

Ken Stieers — Tue, 25 Oct 2011 14:57:39 GMT

Go to the Global Policy in Web Security Manager>Access Policies and set it to block everything, then above that create a policy for group cn=Internet that allows internet users to go where ever they're allowed...

Edit: That will cause a little havoc with stuff that doesn't usually authenticate (Outlook, Windows Activation stuff, etc., so plan for that...)

deny Access to all

iske_2 — Wed, 26 Oct 2011 06:30:04 GMT

This is a change from Bluecoat to Ironport, we already have the authentication Stuff configured.

Access Group noAuth and added the CustomURL's. There's a little cosmetic issue. There is a

Error Message Proxy_Auth_Required. I'd like the user to see that instead of something like

'Your request has been blocked by Company Rules'.

deny Access to all

Ken Stieers — Mon, 31 Oct 2011 19:48:09 GMT

Hmm, I see what you mean...

I think you'll need somthing like this:

In Access Policies:

non auth agents (Outlook/Windows activation, etc...) --> allowed

authed users in cn=Internet group --> allowed

authed users not in group --> blocked

Global policy --> everything blocked

Go to Network/Authentication and set "Action if Authentication Service Unavailable" to Permit

Go to Web Security Manager/Identities, and in the Global Identity Policy, turn on Guest Privledges.