NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

To create complex policies involving groups of host names, IP addresses or IP address ranges, you can define these groups as network objects using Network Resources as described in “Using Network Resource Objects to Simplify Policies” on page 4-20.

To present different portal content to different users (for example, external suppliers), create the new portal layout, then add a new domain, selecting the new portal layout.

Users, Groups and Global Policies

An administrator can define and apply user, group and global policies to predefined network resource objects, IP addresses, address ranges, or all IP addresses and to different SSL VPN services. A specific hierarchy is invoked over which policies take precedence. The SSL VPN Concentrator policy hierarchy is defined as:

1.User Policies take precedence over all Group Policies.

2.Group Policies take precedence over all Global Policies.

3.If two or more user, group or global policies are configured, the most specific policy takes precedence.

For example, a policy configured for a single IP address takes precedence over a policy configured for a range of addresses. And a policy that applies to a range of IP addresses takes precedence over a policy applied to all IP addresses. If two or more IP address ranges are configured, then the smallest address range takes precedence. Hostnames are treated the same as individual IP addresses.

Network Resources are prioritized just like other address ranges. However, the prioritization is based on the individual address or address range, not the entire Network Resource.

For example, let’s assume the following global policy configuration:

Policy 1: A Deny rule has been configured to block all services to the IP address range

10.0.0.0– 10.0.0.255.

Policy 2: A Deny rule has been configured to block FTP access to 10.0.1.2 – 10.0.1.10.

Policy 3: A Permit rule has been configured to allow FTP access to the predefined network resource, FTP Servers. The FTP Servers network resource includes the following addresses:

10.0.0.5– 10.0.0.20 and ftp.company.com, which resolves to 10.0.1.3.

Assuming that no conflicting user or group policies have been configured, if a user attempted to access:

An FTP server at 10.0.0.1, the user would be blocked by Policy 1.

4-2

Setting Up User and Group Access Policies

v2.0, May 2007

Page 47 Page 49
Page 48
Image 48
NETGEAR SSL312 manual Users, Groups and Global Policies
Page 47 Page 49
Top Page Image Contents