Is it possible to create either an Identity or Access Policy scoped to a group of AD computer objects? We currently restrict a group of workstations by adding their IPs to an identity. This is cumbersome, as the IPs need to be reserved ahead of time and explicitly added to the WSA identity. It would be much easier if we could associate it to an AD group where we could delegate some permission to modifying that group as access needs to be restricted. Thoughts?
Please find my inputs below -
1. Active directory can be integrated with WSA. Steps to integrate are given in the user guide -
2. Once the AD is integrated, WSA can pull group information from WSA, these groups can be leveraged in the access policies to apply restrictions.
3. Click on the group hyperlink and WSA will display the group information.
*** Rate All Helpful Responses ***
you can put all these computers in a group on AD and call the group or individual usernames in the access/decryption policies, whenever these systems try to go out the network on 80/443 the wsa will be able to match the policies you set for them.
PS: Please don't forget to rate and select as validated answer if this answered your question
I have tried that in the past and it doesn't seem to work. To be clear, I'm talking about adding Computer objects to the group, not user objects. The WSA only seems to be able to look at the logged in user. The computer name never shows up anywhere in the logs. Are you sure the WSA has this capability? User identification has always worked as expected via Kerberos.
Confirms what I'm seeing and means that the WSA cannot do what I had hoped. I would think others may benefit from that feature so maybe an enhancement down the road?
you are right, I was talking about user objects. Let me check if I can file an FR for you.