Create a Web Applications Control Policy
search cancel

Create a Web Applications Control Policy

book

Article ID: 171077

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

This article will only describe how to create a Web Applications Control Policy on the Edge SWG (ProxySG) or ASG device. The prerequisite steps are outlined in brief below and should be taken before moving to this step for creating the policy. 
 
To allow and deny access to Web applications and operations, create policy rules in the Web Access Layer.
 
In addition to URL category filtering it's possible to filter content by Web application and/or specific operations or actions done
within those applications. For example, create policy to:
 
  • Allow users to access all social networking sites, except for Facebook. Conversely, block access to all social networking sites except for LinkedIn.
  • Allow users to post comments and chat in Facebook, but block uploading of pictures and videos.
  • Prevent the uploading of videos to YouTube, but allow all other YouTube operations such as viewing videos others have posted. Conversely, preventing uploading but block access to some videos according to the video’s category.
  • Allow users to access personal email accounts on Outlook.com, AOL Mail, and Yahoo Mail, but prevent from sending email attachments.

Prerequisites: 

1. Configure Blue Coat WebFilter.
2. Set Web services to intercept, such as External HTTP and HTTPS.
3. Decide which Web applications and operations required to control. For a list of supported Web Operations per Web Application, see http://sitereview.bluecoat.com/applications.jsp
4. SSL Interception for decrypting the traffic must be configured in order for SSL encrypted traffic to have the Web Application Control and Operations applied. 
5. Create Policy to Control Web Applications
 
Please reference the document attached, "Blue Coat Security First Steps Solution for Controlling Web Applications" for a full description of these steps. This article is only providing the steps to configure the actual policy for Web Application Controls. 
 
 
NOTE: Only the supported Operations listed under the Applications found on the http://sitereview.bluecoat.com/applications.jsp site are supported. Using other Operations with Applications that are not support will not work. Even if an Operation is configured for an Application in the VPM, if the operation is not supported by that application it will not work. 

Resolution

Create Policy to Control Web Applications

To allow and deny access to Web applications and operations, you create policy rules in the Web Access Layer.

Example: Control YouTube Operations

The following example demonstrates how to add a policy to control YouTube operations. With this policy, users will not be
able to post messages or upload videos in the YouTube application; all other operations will be allowed.

1. Launch the Web VPM.
2. Add a Web Access Layer. Name the layer YouTube Controls.
3. Click "destination" then "set"
4. Click "Add a new object" then "Application Name"
5. In the application list, scroll down and select the YouTube check box or search "youtube".
6. In the Name field, enter a descriptive name such as YouTube-App, click "Apply" then "Set".

7. Add an object to deny Post Messages and Upload Video operations on YouTube.
      a. Click "destination" then "set"
      b. Click "Add a new object" then "Application Operation"
      c. Select the operations you want to block: Upload Videos and Post Messages.
      d. Name this object Youtube-Operations.
      e. Click "Apply".

8. Create a combined object.
     a. Click "Add a new object" and select Combined Destination Object.
     b. Select YouTube-App and "add a second list" then select "YouTube-Operations"
     c. Name the combined object YouTube_app-op_controls
     d. Click "Apply" then "Set"

9. Make sure the Action is set to Deny.
10. Save Policy.

 

Test Web Application Policy

Test the policy by verifying that you cannot access blocked Web applications.

1. Open a Web browser that is configured to use the Edge SWG (ProxySG) as a proxy. Make sure that you are not using the same
browser that you are currently using to access the Management Console.
2. Launch the application that you created a policy for. For example, if you created a policy to deny Facebook access,
you will see a corresponding ‘access denied’ or ‘web page not found’ error depending on how you have configured
the Deny functionality.
3. To customize the web page containing the error message displayed to users when they are denied access to a
URL, refer to the Exception Pages solution in the First Steps WebGuide.

Verify that you cannot perform blocked web operations and can perform operations that are allowed.

         1. Open a Web browser that is configured to use the Edge SWG (ProxySG) as a proxy.
         2. Launch the application you created a policy for. Make sure you can perform operations that are allowed and are
         denied access to the blocked operations. For example, if you created a policy to block Post Message and Upload
         Video operations in YouTube, go to YouTube and try to upload a file or post a comment; these operations should be
         denied. Other operations, such as playing videos, should be allowed.

Attachments

Blue Coat Security First Steps Solution for Controlling Web Applications.pdf get_app
Powered by Wolken Software