Define a User-Based Web Applications Policy

By combining several types of
WSS
policy, you can create a robust web application policy that both protects your network, ensures acceptable web use policies, and allows employees to complete their job duties based on their roles in the organization. Consider the following use case and example policy.

Use Case

The default
WSS
settings for all applications is
Allow
. Previously, a
WSS
admin set the major webmail applications to
Block
and set
E*Trade
to
Allow
. You now want to add a more granular policy based on user groups.
  • The FIFA World Cup creates network bandwidth havoc every year; furthermore, reports indicate that Pinterest traffic is trending upward and you want to block access.
  • Both Facebook and Twitter can hinder productivity, yet are necessary marketing applications. You want to allow access only to the Marketing group; however, you also want to block security risks (such as downloading files) and block unnecessary features (such as games and chatting) for everyone in those groups.
    How a user understands that an application action was blocked is application-dependent. For some actions, nothing happens. This behavior might generate support/IT tickets, so be sure such personnel understand this and can inform employees.
  • Human Resources also uses Facebook plus Linkedin, but you do not want other employees job-networking while working for you.

Example Policy

  1. Navigate to
    Policy > Content Filtering
    .
  2. Add
    FIFA World Cup
    ,
    Facebook
    ,
    Twitter
    ,
    Linkedin
    , and
    Pinterest
    to
    Blocked Web Applications
    to the global block list.
    1. In the
      Group B > G4
      rule, click the
      Blocked Web Applications
      link in the
      To Where
      column. The service displays the Object Edit: Blocked Web Applications dialog.
    2. The initial dialog is read-only. Click
      Edit
      .
      Advanced Policy Blocked Web Apps
    3. Select the
      FIFA World Cup
      application in the
      Sports/Recreation
      drop-down (you can search for the term).
    4. Select the
      Facebook
      ,
      Twitter
      ,
      Linkedin
      , and
      Pinterest
      applications from the
      Social Networking
      drop-down.
    5. Click
      Save.
      The
      Blocked Applications (#)
      number increments to include the four applications.
    6. Yellow triangle icons indicate non-active policies. Click
      Activate
      . At this point, anyone who attempts to access any of those applications are blocked.
  3. Allow Marketing access to Facebook and Twitter.
    1. Click
      Add Rule
      . The service displays the Create New Rule dialog.
    2. Click
      Add Sources
      .
    3. Click
      User Group
      .
    4. Select the group to be granted access—for this example,
      CorpMarketing
      .
      Web Apps for Marketing 1
    5. Click
      Save
      .
    6. Click
      Add Destinations
    7. Click
      Web Application
      .
    8. Search for
      Facebook
      and
      Twitter
      and add them; click
      Save
      .
    9. For the
      Verdict
      construct, select
      Allow > Completely
      . Click
      Finish
      , which adds the rule in
      Group B
      above the default global block rule. The order is important, as when a component of rule gets matched, subsequent rules are ignored.
  4. You now want to prevent Marketing employees from downloading attachments, playing games, and chatting from within Facebook.
    1. Repeat
      Step 3
      , creating a rule that applies to the same
      CorpMarketing
      group (
      Sources
      construct).
    2. Select the same web applications on the
      Destinations
      construct.
    3. Click
      Contents and Limits
      ; click
      Actions
      .
    4. Select the actions to block, such as
      Download Video
      and
      Games
      .
      Web Apps Block Actions
    5. Click
      Save
      .
    6. Set the
      Verdict
      construct to
      Block
      .
    7. Click
      Add Rule
      ; the service displays the new action blocking rule in
      Group B
      .
    8. Click
      Activate
      .
  5. Create another rule for the
    CorpHR
    group to be allowed
    Facebook
    and
    Linkedin
    .
  6. Click
    Activate
    . You now have conditional rules that fully allow access, limit access, or block web applications.
    Advanced Policy Web Apps Rule
How a user understands that an application action was blocked is application-dependent. For some actions, nothing happens. This behavior might generate support/IT tickets, so be sure your support staff understand this and can inform employees.