Web Security Service

English

Forward Specific User and Group Names to the Service

By default, the
Auth Connector
 returns all group and usernames that are contained in your LDAP deployment to the
Web Security Service
 for use in custom policy creation. This might not be practical for an enterprise network that contains multiple user groups and large volumes of users. Sending that much information might cause
Auth Connector
 resource constraints.
Symantec
 recommends performing this
before
 installing the
Auth Connector
.
For large LDAP deployments, the best practice is select all users but decide which groups require policy and forward only those to
WSS
. For example, you have domains named
HQ-QA
,
HQ-SALES
, and
HQ-OPERATIONS
 and only users in the
HQ-SALES
 domain require policy checks.
The
bcca.ini
 file, which is part of the
Auth Connector
 application, contains
[Groups]
 and
[Users]
 sections. You can add entries to one, either, or both:
  • If the
    [Groups]
     and
    [Users]
     sections are empty,
    WSS
     receives traffic from all domains and users.
  • If the
    [Groups]
     section contains a domain entry (for example,
    HQ-SALES\
    ), then all groups within that domain send traffic to the cloud service.
  • To further narrow the scope with domains, add group names. For example:
    HQ-SALES\RegionA
    .
  • The
    Users
     section functions in the same manner. Add specific users to even further limit whose traffic is sent to the cloud services. For example:
    HQ-SALES\thomas.hardy
    .
To prevent a full transmission of all user and group names, do not open the firewall for outbound
443/tcp
 from the
Auth Connector
 before you complete this task.

Procedure

This process to add domains, users, and groups is manual.
  1. Access the server that has the
    Auth Connector
     application.
  2. Using a text editor, open the
    bcca.ini
     file. If you installed the
    Auth Connector
     in the default directory, find it in:
    C:\Program Files\Blue Coat Systems\BCCA\
    .
  3. Locate the
    [Groups]
     and
    [Users]
     sections and add entries. You must use the same letter cases that match what is in the Active Directory. Add one entry per line. For example:
    [Groups]
    HQ-SALES\NAWest
    HQ-SALES\NANorthWest
    [Users]
    HQ-SALES\Administrator
  4. Save the file.
  5. Allow the service to process some traffic, then check various reports to verify that you are receiving traffic from the specified groups/users.