deny Access to all

iske_2 · ‎10-25-2011

Hi,

I've managed to add an Identity ldap and an Access Policy that requires authentication of Members in the group cn=internet.

If a User is NOT in group cn=internet but exists in LDAP, the User is getting Internet access. I need to disable Internet Access to all

Users NOT in Group cn=internet.

Trace is: DETAILS: DefaultGroup "Access"

How do I disable Access for the DefaultGroup ? I can't find a DefaultGroup anywhere.

Thank You

Uli

Ken Stieers · ‎10-25-2011

Go to the Global Policy in Web Security Manager>Access Policies and set it to block everything, then above that create a policy for group cn=Internet that allows internet users to go where ever they're allowed...

Edit: That will cause a little havoc with stuff that doesn't usually authenticate (Outlook, Windows Activation stuff, etc., so plan for that...)

iske_2 · ‎10-25-2011

This is a change from Bluecoat to Ironport, we already have the authentication Stuff configured.

Access Group noAuth and added the CustomURL's. There's a little cosmetic issue. There is a

Error Message Proxy_Auth_Required. I'd like the user to see that instead of something like

'Your request has been blocked by Company Rules'.

Ken Stieers · ‎10-31-2011

Hmm, I see what you mean...

I think you'll need somthing like this:

In Access Policies:

non auth agents (Outlook/Windows activation, etc...) --> allowed

authed users in cn=Internet group --> allowed

authed users not in group --> blocked

Global policy --> everything blocked

Go to Network/Authentication and set "Action if Authentication Service Unavailable" to Permit

Go to Web Security Manager/Identities, and in the Global Identity Policy, turn on Guest Privledges.