Identities in CWS and virtual WSA

jeremyarcher · ‎02-09-2015

We are transitioning from the on-premise Ironports to the WSA + CWS.

On the current Ironports we use several different identities and apply different access polices based off the identity. For example, some identities are defined by active directory group, IP subnet, etc. Different rule sets are applied based off which identity is used. In addition, we also use identities that are established based off a Custom URL list and browser user-agent.

There doesn't seem to be any way in the WSA / CWS to identify and establish a policy based off user-agent or custom URL lists. While I can create these identities within WSA there doesn't appear to be any means of applying a filter/rule to them.

I would like to be able to define an identity in the WSA and then apply a rule to that identity in CWS. However, it appears that only IP subnet/address and Active Directory are supported "Who" types in the CWS.

Any recommendations?

Handy Putra · ‎02-21-2015

From your descriptions, looks like your WSA mode is using Connector mode.

When WSA is acting as connector mode, WSA is basically not acting as a normal proxy. In this mode WSA only do Identity whether authentication enable or disable (you still be able to identify based on user agent or custom Url categories). Then pass this information to the Cloud Routing Policy to route the traffics to Cloud Web Security such as ScanSafe to be processed and apply rules to that identity (not really have much experience with Could Web Security/Scansafe, however i think you can apply policy based on group or user authentication as long as the Identity from WSA has authentication enabled).

If you need WSA to be the one that performing parodying (apply policies, etc), you will need to change the WSA mode to be standard proxy from the System Setup Wizard (this will reset your current config)

Hope this helps.