NETGEAR SSL312 Users, Groups and Global Policies

NETGEAR ProSafe SSL VPN Concentrator 25 SSL312 Reference Manual

4-2 Setting Up User and Group Access Policies

v2.0, May 2007

• To create complex policies involving groups of host names, IP addresses or IP address ranges,

you can define these groups as network objects using Network Resources as described in

“Using Network Resource Objects to Simplify Policies” on page 4-20.

• To present different portal content to different users (for example, external suppliers), create

the new portal layout, then add a new domain, selecting the new portal layout.

Users, Groups and Global Policies

An administrator can define and apply user, group and global policies to predefined network

resource objects, IP addresses, address ranges, or all IP addresses and to different SSL VPN

services. A specific hierarchy is invoked over which policies take precedence. The SSL VPN

Concentrator policy hierarchy is defined as:

1. User Policies take precedence over all Group Policies.

2. Group Policies take precedence over all Global Policies.

3. If two or more user, group or global policies are configured, the most specific policy takes

precedence.

For example, a policy configured for a single IP address takes precedence over a policy configured

for a range of addresses. And a policy that applies to a range of IP addresses takes precedence over

a policy applied to all IP addresses. If two or more IP address ranges are configured, then the

smallest address range takes precedence. Hostnames are treated the same as individual IP

addresses.

Network Resources are prioritized just like other address ranges. However, the prioritization is

based on the individual address or address range, not the entire Network Resource.

For example, let’s assume the following global policy configuration:

• Policy 1: A Deny rule has been configured to block all services to the IP address range

10.0.0.0 – 10.0.0.255.

• Policy 2: A Deny rule has been configured to block FTP access to 10.0.1.2 – 10.0.1.10.

• Policy 3: A Permit rule has been configured to allow FTP access to the predefined network

resource, FTP Servers. The FTP Servers network resource includes the following addresses:

10.0.0.5 – 10.0.0.20 and ftp.company.com, which resolves to 10.0.1.3.

Assuming that no conflicting user or group policies have been configured, if a user attempted to

access:

• An FTP server at 10.0.0.1, the user would be blocked by Policy 1.