Creating an authorization policy for Active Directory group/user

book

Article ID: 170420

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

This article describes how to create an authorization rule on ProxySG for AD group/user with Integrated Windows Authentication (IWA) realm.

Environment

The environment uses any of the below authentication realms:

  1. Integrated Windows Authentication (IWA) direct
  2. IWA with BlueCoat Authentication Authorization Agent (BCAAA)

Resolution


One of the benefits of IWA is that it automatically returns authorization information for a user in response to an authentication request. You do not have to perform any additional configuration to get authorization to work. After successfully authenticating a user, the appliance receives a list of all groups (IWA Direct) or groups of interest (IWA BCAAA) to which the user belongs.
This section describes how to create a policy using the Visual Policy Manager (VPM). You can also create policy using the Content Policy Language (CPL).

1. Launch the VPM.
   a. From the Management Console, select Configuration > Policy > Visual Policy Manager.
   b. Click Launch.

2. Create a Web Access Layer:
   a. Select Policy > Add Web Access Layer.
   b. Enter a Layer Name or accept the default name and then click OK.

3. Specify the user or group to authorize (the source):
   a. In the Source column of the first row, right-click and then select Set. The Set Source Object dialog displays.
   b. Click New and then select the type of Active Directory object this rule will authorize:

  •        To create a rule for authorizing a group, select Group. The Add Group Object dialog displays.
  •        To create rule for authorizing a user, select User. The Add User Object dialog displays.

   c. Select the IWA realm from the Authentication Realm drop-down list.
   d. Specify the name of the Active Directory user or group that rule will authorize:

 

  • If you know the name of the Active Directory user or group, enter it in the Group or User field.
  • If you don't know the Active Directory name of the user or group, click Browse and select the group from the IWA Browser.

   e. Click OK to close the Add Group Object or Add User Object dialog.
   f. Click OK to close the Set Source Object dialog.

4. Specify whether to allow or deny requests from the specified user or group:
a. Right-click the Action column.
b. Select one of the following options:

 

  • Allow-Select this option if the default proxy policy for the appliance is set to deny proxy access through the ProxySG appliance. (This is the default in a secure web gateway deployment.)
  • Deny-Select this option of the default proxy policy for the appliance is set to allow proxy transactions. (This is the default in an acceleration deployment.)

If you aren't sure what the default proxy policy is set to on your appliance,
go to Configuration > Policy > Policy Options.

5. (optional) Define any additional parameters that you want this rule to enforce.
6. To create additional authorization rules, repeat Steps 3 through 5.
7. Click Install policy.
8. Click OK to acknowledge that the policy was successfully installed.

*The above information can be found in the Secure Gateway Operating System (SGOS) Admin guide for all GA releases.