Create a Web Applications Control Policy

book

Article ID: 171077

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

This article will only describe how to create a Web Applications Control Policy on the ProxySG or ASG device. The prerequisite steps are outlined in brief below and should be taken before moving to this step for creating the policy. 
 
To allow and deny access to Web applications and operations, create policy rules in the Web Access Layer.
 
In addition to URL category filtering it's possible to filter content by Web application and/or specific operations or actions done
within those applications. For example, create policy to:
 
  • Allow users to access all social networking sites, except for Facebook. Conversely, block access to all social networking sites except for LinkedIn.
  • Allow users to post comments and chat in Facebook, but block uploading of pictures and videos.
  • Prevent the uploading of videos to YouTube, but allow all other YouTube operations such as viewing videos others have posted. Conversely, preventing uploading but block access to some videos according to the video’s category.
  • Allow users to access personal email accounts on Outlook.com, AOL Mail, and Yahoo Mail, but prevent from sending email attachments.

Prerequisites: 

1. Configure Blue Coat WebFilter.
2. Set Web services to intercept, such as External HTTP and HTTPS.
3. Decide which Web applications and operations required to control. For a list of supported Web Operations per Web Application, see http://sitereview.bluecoat.com/applications.jsp
4. SSL Interception for decrypting the traffic must be configured in order for SSL encrypted traffic to have the Web Application Control and Operations applied. 
5. Create Policy to Control Web Applications
 
Please reference the document attached, "Blue Coat Security First Steps Solution for Controlling Web Applications" for a full description of these steps. This article is only providing the steps to configure the actual policy for Web Application Controls. 
 
 
NOTE: Only the supported Operations listed under the Applications found on the http://sitereview.bluecoat.com/applications.jsp site are supported. Using other Operations with Applications that are not support will not work. Even if an Operation is configured for an Application in the VPM, if the operation is not supported by that application it will not work. 

Resolution

Create Policy to Control Web Applications

To allow and deny access to Web applications and operations, you create policy rules in the Web Access Layer.

1. Launch the Visual Policy Manager (VPM).
     a. In the Management Console, select Configuration > Policy > Visual Policy Manager.
     b. Click Launch.
2. Add a Web Access Layer.
     a. Select Policy > Add Web Access Layer.
     b. For Layer Name, enter a descriptive name and click OK.
3. Right-click the Destination column within the rule, and select Set.
4. To control Web applications, click New and select Request URL Application. In the new window that opens,
select the check box of the application(s) you want to control and click OK.
5. (Optional) To control Web operations:
     a. Click New and select Request URL Operation.
     b. In the Supporting application list, select the Web application(s) you want to control.
     c. Select the check box of the operation(s) you want to control.
     d. Click OK.
6. Set Action to Allow or Deny, depending on the policy you want to create.
7. Click Install policy.


Example: Control YouTube Operations

The following example demonstrates how to add a policy to control YouTube operations. With this policy, users will not be
able to post messages or upload videos in the YouTube application; all other operations will be allowed.

1. Launch the VPM.
2. Add a Web Access Layer. Name the layer YouTube Controls.
3. Right-click the Destination column within the rule, and select Set.
4. Click New and select Request URL Application.
5. In the application list, scroll down and select the YouTube check box.
6. In the Name field, enter a descriptive name such as YouTube-App, click OK.

7. Add an object to deny Post Messages and Upload Video operations on YouTube.
      a. Click New and select Request URL Operation.
      b. Under the Supporting application pull-down menu, select YouTube.
      c. Select the operations you want to block: Upload Video and Post Messages.
     d. Name this object Youtube-Operations.
     e. Click OK.
8. Create a combined object.
     a. Click New and select Combined Destination Object.
     b. Add YouTube-App to the upper-right box and add and YouTube-Operations to the lower-right box. This
ensures that both conditions must match for this policy to deny requests.

      c. Name the combined object YouTube app-op controls. Click OK.
9. Make sure the Action is set to Deny.
10. Install the policy.
You can verify the full policy details on the ProxySG. In the VPM, click View > Current SG Appliance VPM Policy Files.
If you have multiple access layers in the VPM, you can see the order in which the rules will be applied in the CPL
(content policy language) file. On the VPM, go to View > Generated CPL.

Test Web Application Policy

Test the policy by verifying that you cannot access blocked Web applications.

1. Open a Web browser that is configured to use the ProxySG as a proxy. Make sure that you are not using the same
browser that you are currently using to access the Management Console.
2. Launch the application that you created a policy for. For example, if you created a policy to deny Facebook access,
you will see a corresponding ‘access denied’ or ‘web page not found’ error depending on how you have configured
the Deny functionality.
3. To customize the web page containing the error message displayed to users when they are denied access to a
URL, refer to the Exception Pages solution in the First Steps WebGuide.
Verify that you cannot perform blocked web operations and can perform operations that are allowed.
1. Open a Web browser that is configured to use the ProxySG as a proxy.
2. Launch the application you created a policy for. Make sure you can perform operations that are allowed and are
denied access to the blocked operations. For example, if you created a policy to block Post Message and Upload
Video operations in YouTube, go to YouTube and try to upload a file or post a comment; these operations should be
denied. Other operations, such as playing videos, should be allowed.

-----------

If the controls are not working as expected, please check the SSL Interception as mentioned in the following article: Web Application controls do not seem to work with sites like Facebook, Google+, Twitter, etc.
 

Attachments

Blue Coat Security First Steps Solution for Controlling Web Applications.pdf get_app