WebSecurityService UniversalPolicyEnforcement (UPE)Guide · 4/7/2020 · upe-title/Page3 TOC...

Web Security Service

Universal Policy Enforcement(UPE) GuideRevision: APR.07.2020

Symantec (Undefined variable: BC_Variables.WSS Long)/

upe-title/

TOC

About Universal Policy Enforcement 5

UPE Technical Requirements 7

Register Your WSS Portal 8Technical Requirements 8Procedure 8

Add WSS Account to Management Center 11Web Security Service: Generate Token 11Management Center: Register the Web Security Service 13

Decision: Where Policy Originates 16

Create a New UPE Object 19

Define Universal Policy in the VPM 21Technical Requirements 21About Enforcement Points 21Procedure 22

Clone an Existing Policy 25

Import Policy 26

Refine Universal Policy 28Technical Requirements 28Procedure 28

Install Policy to WSS Target 29

Validate Univeral Policy 30Validate the Universal Policy 30About the Validation Results 30Known Policy Limitations 31

Install Policy to WSS Target 32

Universal Policy: Enforcement Point 33

WebGuide Update Log 34


Virus Scanning is not Working 35

Connection Issue 36

Web Isolation Issue 37

Glossary 38

About Universal Policy Enforcement/

About Universal Policy EnforcementUniversal Policy comprises various rules required to enforce your enterprise's acceptable web use policies for employees whoconnect through an on-premises ProxySG appliance and/or theWeb Security Service (cloud security). To achieve UniversalPolicy Enforcement, Symantec Management Center allows you to centralize your policy creation, maintenance, andinstallation tomultiple appliances and the cloud service.

1—The Admin uses Management Center to create a Universal Policy object; then imports a reference ProxySGVisual PolicyManager (VPM) policy for validation and refinement.

Note: Another option is create policy (Enforcement Domains) directly in VPM, then useManagement Center to import.

2—The Admin installs the validated Universal Policy on selected targets, which include ProxySG appliances in differentlocations and theWeb Security Service.


3—Employees at a location requests web traffic that is intercepted by an on-premises ProxySG appliance, which checksagainst the policy with the Appliance and Universal Enforcement Points, which were defined during the policy creation stage.

4—For this enterprise, theWeb Security Service processes requests from all remote users (connecting from a non-corporatenetwork). TheWSS and Universal Enforcement Points apply to these client connections.

Going forward from this time, Management Center allows you to quickly maintain, edit, and publish policy updates withouthaving to log in tomultiple products.

Ready to Begin Implementation?

n "UPE Technical Requirements" on page 7

n "Register YourWSS Portal" on page 8

UPE Technical Requirements/

UPE Technical RequirementsBefore you begin to implement Universal Policy Enforcement, Symantec recommends that you confirm the followingprerequisites aremet.

Product Item Notes

ProxySG

SGOS6.7.1+;6.6.x6.5.9.14+

ManagementCenter

1.8.1+

SSL

Universal Policy requires proper SSL certificate validation. Youmust:

n Ensure that Management Center is able to connect tohttps://sgapi.es.bluecoat.com .

n Verify that no inline proxies will disrupt SSL connections to your devices.

n If Management Center uses the explicit HTTP proxy, ensure that it does not decrypttraffic

Web SecurityService

Subscription ID Sent in theWelcome email. This is required for account registration and initial configuration.Admin EmailAddress

Determine which Network Administrator will serve as theWeb Security Service super admin(you can add other portal admins later).

Virus ScanningVirus ScanningSettings

ICAP services will be accepted and transformed to use theWSS virus scanning service onlyif they adhere to the following:

n The ICAP service is configured with Service Type Virus Scanning.

n The ICAP service is configured with Service TypeOther and is named ProxyAV.

See "Virus Scanning is not Working" on page 35 for more information.

Next Step

n "Register YourWSS Portal" on page 8


Register Your WSS PortalThe first task in the Universal Policy Enforcement configuration process is to register yourWeb Security Service portal and set adefault policy setting to Universal.

Technical RequirementsBefore beginning, youmust have:

n A Subscription ID, which was sent in aWelcome email by Symantec.

n A Primary Administrator email address. YourWeb Security Service portal account will be tied to this address.

Procedure1. In a browser, enter https://portal.threatpulse.com/register.jsp.

https://portal.threatpulse.com/register.jsp

Register YourWSS Portal/

a. Enter the Email Address and name of who will be the primary Web Security Service administrator.

b. Enter your Subscription ID.

c. Click Register.

2. TheWeb Security Service begins the first phase of an initial configuration wizard.

The first page prompts you define your Administrator password and password recovery security question.

Complete and click Next (bottom-right corner).

3. The next page prompts you to define the Administrator's First and Last Name.

a. Complete and click Continue to Product Setup.

b. Click OK to close the confirmation dialog.

4. TheWeb Security Service begins the second initial configuration phase, the first of which is Product Configuration.

Locate theWeb Security product line and click the Configure link, which is in the Action column.

5. TheWeb Security Service service displays the Default Policy page.

a. In the Policy Source area, select Management Center.

Notice that other Default Policy options are now greyed-out. These are not applicable when theManagementCenter is the policy source.

b. Click Next.

6. The wizard progresses through threemore screens: Mobile Users, Static Location, and Auth Connector Setup, witheach providing an option and/or configure additional components. AdvancedWeb Security Service admins willunderstand what these configurations are, but you can configure these Access and Authenticationmethods at a latertime. For each of these screens, click Next.

7. The final wizard screens confirms that you have completed the registration process. Click Go To Product Setup(lower-right corner).


8. TheWeb Security Service returns to the Product Configuration screen; theWeb Security product line now displaysConfigured as the Configuration Status. Click Continue (lower-right corner).

TheWeb Security Service portal loads and displays the Overview > Dashboard landing page. These reports are notpopulated as you have yet to have clients sending traffic to the service.

This concludes this Universal Policy Enforcement phase.

Verify Policy Source

The portal does not provide a visual status that you have selectedManagement Center as the policy source. You can navigate toContent Filtering > Policy. If registered correctly, this page does not allow access to the Content Filtering Rule Editor. If youcan access this editor, your portal is not properly registered for UPE. Youmust work with your Beta representative to reset youraccount.

Next Step

n "AddWSS Account to Management Center" on page 11

AddWSS Account to Management Center/

AddWSS Account to Management CenterAfter you register yourWeb Security Service portal account, add the account as a device in Management Center.

As of theWeb Security Service 10.2.1 service update (November, 2017), the service resources no longer stores passwords forregistered network devices. Therefore, youmust create a Device Integration Token to use during device-to-servicecommunications.

WebSecurity Service: Generate Token1. In Service mode, select Account Maintenance > Integrations.

2. Click New Integrations. The portal displays the New Integration dialog.

3. Select Management Center.

4. The portal generates a random token. Define the token attributes.


a. Copy the token to your client's clipboard. This token is the password for your connection from theManagementCenter to theWeb Security Service.

b. Select the Expiry Type.

n Time-based—You define the date and time when this token expires.

n Usage-based—You define how many times this token can be used. On the defined number, the tokenbecomes invalid.

n Never expires.

c. Set the expiration criteria.


n For Time-based, select the date and time.

n For Usage-based, set the valid number of uses.

d. (Optional) Enter a comment that defines the token's purpose.

5. Click Save.

The portal displays the token.

To review the attributes, select a token and click Edit. You can also Delete or temporarily Disable (and re-Enable) thetoken.

Management Center: Register theWeb Security Service1. Log into theManagement Center.

2. Select Network > Devices.

3. Click Add Device. The system displays the Add Device wizard.

4. Select Web Security Service. The wizard displays the next page.

5. Define the Device Management Mode attributes

a. From the Deployment Status drop-down, select Existing device.

b. For Edit Mode, select Read/Write.

6. Establish theWeb Security ServiceConnection Details.


a. From the Cloud Network drop-down list, select Production. This connections to yourWeb Security Serviceaccount/portal.

b. Click Connect.

c. For Username, enter mc-register.

d. The Password is the integration token that you copied from theWeb Security Service.


e. Click Register.

After successfully connecting, the system populates the Name fields.

Optional—Input any applicable attributes.

See Add Attributes in theManagement Center documentation.

Next Step

n "Decision: Where Policy Originates" on page 16

https://bto.bluecoat.com/webguides/managementcenter/1.8.1.1/Content/ConfigurationManagementGuide/6_Policy/attributes_add.htm


Decision: Where Policy OriginatesThere are threemethods to provide the source policy used for Universal Policy Enforcement, whichmeans it is used for clientweb traffic intercepted by on-premises ProxySG appliances or theWeb Security Service.

Review the followingmethods and select the one that matches your Universal Policy Enforcement goals.

Tip: TheWeb Security Service can accept only one policy source at a given time. However, youcan de-register a source (Management Center) and register a different one.

Management Center—Existing Policy

I have an existing policy that I want to clone as a basis for Universal PolicyEnforcement.

This procedure describes how to useManagement Center to access a ProxySG appliance, make a copy of its VisualPolicy Manager (VPM), designate it as the Universal Policy, and refine it.

Possible Use Cases

n You have a Symantec Management Center and you already use it to manage policies across multiple ProxySGappliances.

n One ormoremanaged ProxySG appliances have installed policy; you want the applicable policies applied to clients thatsend traffic to theWeb Security Service.

Select This Method

Decision: Where Policy Originates/

Management Center—New UPE Policy

I want to create a new Universal Policy and use it for on-premises and/or theWeb Security Service.

This procedure describes how to useManagement Center to access a ProxySG appliance VPM and create Universal Policy.

Possible Use Cases

n You have a Symantec Management Center and you already use it to manage policies across multiple ProxySGappliances.

n Youwant to define a new Universal Policy Enforcement policy to install on one or more ProxySG policies and/or theWeb Security Service.

Select This Method

Visual Policy Manager

I want to use or create policy with the ProxySG appliance Visual PolicyManager.

This procedure describes how to access a stand-alone, on-premises ProxySG appliance VPM, create Univeral Policy, andthen useManagement Center to import and install it.


Possible Use Cases

n You prefer to use the ProxySGVisual Policy Manager (VPM) to develop policies.

n You have used the Visual Policy Manger (VPM) to substantially craft policies on a single ProxySG appliance and thosepolicies are applicable to the clients that will send traffic through theWeb Security Service.

Select This Method

Create a New UPE Object/

Create a New UPE ObjectThis topic describes how to create a new Universal Policy object to be used for both ProxySG appliances and theWebSecurity Service.

1. Log in toManagement Center.

2. From the left-menu, select Policy.

3. Click Add Policy. The system displays the Create New Policy dialog.

4. Provide the Basic Information about this rule.

a. Name the policy object (required).

b. From the Policy Type drop-down, select Universal VPM Policy (required).

c. (Optional) Enter a Reference ID. Although not required, this ID is useful for filtering objects when building policy.If you do not enter a reference ID, the system assigns a default ID based on the policy name you enter. Importedpolicy objects are assigned a default ID. The Reference ID must begin with a letter and can contain only letters,numbers, and the underscore (_) character.

d. (Optional) Enter a Description, which helps differentiate versions of the same policy.

e. (Optional) Select Replace Substitution Variables.This is only necessary if you plan to include policy variablesor shared objects in your policy. Reference topic.

f. Click Next.

5. Attributes page—If you previously created Policy Attributes in Administration > Attributes, theManagement Center

https://bto.bluecoat.com/webguides/managementcenter/1.8.1.1/Content/ConfigurationManagementGuide/6_Scripts/variable_substitution.htm


displays them on this wizard page. You can click the X icon to delete unnecessary attributes; if an attribute has aselectable value, you can select that.

When ready, click Finish. TheManagement Center adds the new Universal Policy Enforcement object.

Next Step

Select amethod to define Universal Policy Enforcement.

n Import policy from existing reference ProxySG appliance—"Import Policy" on page 26.

n Use theManagement Center to link the UPE object to a reference ProxySG appliance—Identify a Reference ProxySGAppliance.

Define Universal Policy in the VPM/

Define Universal Policy in the VPMAn alternativemethod to using theManagement Center to access a ProxySG appliance Visual Policy Manager (VPM) is to usea on-premises appliance/VPM. After you create the Universal Policy, useManagement Center to import and distribute it.

Technical Requirementsn Before accessing a VPM editor, Symantec strongly recommends that you understand how the VPM Editor works in

regards to underlying policy enforcement in ProxySG appliances. For comprehensive information on creating policy,refer to the Blue Coat Systems ProxySGAppliance Visual Policy Manager Reference and Advanced Policy Tasksdocument.

n To launch the VPM editor, clients using Java 7must enable TLS 1.1 and TLS 1.2. In the Java Control Panel, selectAdvanced. Select Use TLS 1.1 and Use TLS 1.2.

Management Center reference topic.

About Enforcement PointsTo prepare for policy migration to theWeb Security Service or to facilitate managing policy in amixed environment with thecloud and on-premises appliances, specify an Enforcement Domain for each applicable policy rule.

When you enable Enforcement Domains on the VPM, it displays icons next to applicable layer titles. The VPM also displays anEnforcement column, which allows you to select to domain(s) the rule applies: Appliance, WSS (cloud service), or Universal(both appliance andWSS). When you install VPM policy that includes Enforcement Domains, the generated CPL guardsappliance-specific rules and cloud-specific rules with the enforcement preprocessor variable.

The following layers support Enforcement Domains :

n DNS Access Layer

n SSL Intercept Layer

n SSL Access Layer

n Web Authentication Layer

n Web Access Layer

n Web Content Layer

n Web Request Layer

However, not all objects and actions within these layers are available for Universal Policy Enforcement.

https://bto.bluecoat.com/webguides/managementcenter/1.8.1.1/ManagementCenter.htm#ConfigurationManagementGuide/9_Troubleshoot/setup_java_to_run_for_VPM.htm


Procedure1. In the ProxySG, launch the VPM: Configuration > Policy > Visual Policy Manager; click Launch.

2. Enable Enforcement Domains.

Youmust enable enforcement domains before you can specify and change them in policy rules. By default, theenforcement domain is set to Appliance.

Select Configuration > Enable Enforcement Domains. All existing layers that support Enforcement Domains nowhave a blue icon. Within layers, the VPM adds an Enforcement column, which indicates if the object applies to theProxySGAppliance only, theWeb Security Service (WSS) only, or is Universal.

3. Review your current policy layers and evaluate which apply to which domain. To change a domain, select Edit > ChangeEnforcement. The VPM displays the Change Enforcement dialog.

Define Universal Policy in the VPM/

a. For demonstration, this example selects all current layers.

b. Select Universal.

c. Click Apply.

The VPM calculates the policy. Most likely, you will seemultiple Universal Policy validity errors.

n Warnings (yellow) do not prevent policy installation. For example, policy might be valid for the ProxySGappliance, but theWeb Security Service will ignore it.

n Errors (red) prevent policy installation; the Install Policy button becomes inactive.

Click OK.

4. Select a layer that contains an error.


In this example, this SSL Interception Action object cannot function on both the appliance and in the cloud service. Youcan open and examine the object and it evaluate the requirement for changes. Or right-click Enforcement and selectAppliance. This removes the rule from Universal use.

5. If required, add layers and rules that apply only to theWeb Security Service traffic.

6. When all errors are reconciled and other custom policy is complete, click Install Policy.

Next Step

n "Create a New UPE Object" on page 19

n Or if you are in the refinement phase, proceed to "Validate Univeral Policy" on page 30.

Clone an Existing Policy/

Clone an Existing PolicyThis topic describes how tomake a copy of an existing policy that becomes the Universal Policy blueprint. To be used for bothProxySG appliances and theWeb Security Service, some customizing and validation is likely required.

1. From the left-menu, select Policy.

2. From the Policy Objects list, right-click the policy to clone and click Edit.

3. Clone a policy.

a. In the policy editor, click Clone to Universal. The system displays the Clone and Convert dialog.

b. Accept the default Name or enter a new, descriptive one.

c. Click Clone.

The system displays the cloned policy object Universal VPM Policy.The object is named as defined in step 3.b, with -Universal appended. For example, if the source policy name is VPM Sunnyvale, the cloned olicy name is VPM Sunnyvale -Universal.

Next Step

n "Refine Universal Policy" on page 28


Import PolicyAfter you create a new Universal Policy object, youmust populate it with policy to be pushed to designated targets. This topicdescribes how to import a policy that you created on a reference ProxySG appliance.

1. Select Configuration > Policy.

2. Select the universal VPM policy object you created and click Edit.

Tip: Still need to create an object? See "Create a New UPE Object" on page 19.

3. Click Import Policy and select From Device. The system displays the Source Device dialog.

a. Select the device from which to import the policy configuration.

n Select an existing device from the list.

n If the device you require is not present, click Add.

b. Click Next.

Import Policy/

4. Select the VPM policy to apply and click Import. The web console prompts you to confirm the overwrite of the existingpolicy in Management Center.

5. Click Import and Overwrite to accept the import.

6. (Optional) Click Compare to view the differences between an earlier version of a policy and the current version.

Tip: See this Management Center Guide reference topic.

7. Enter a comment for the commit operations and click Save.

Next Step

n "Refine Universal Policy" on page 28

https://origin-symwisedownload.symantec.com/resources/webguides/managementcenter/1.8.1.1/ManagementCenter.htm#ConfigurationManagementGuide/6_Policy/compare_versions_policy.htm


Refine Universal PolicyRefine the Universal Policy Enforcement policy to that it achieves your web acceptable use goals. Youmight elect to also createnew policy objects for the ProxySG appliance, theWeb Security Service, or Universal. UseManagement Center to access thereference ProxySG appliance Visual Policy Manager (VPM) to perform these edits.

Technical Requirementsn Before accessing a VPM editor, Symantec strongly recommends that you understand how the VPM Editor works in

regards to underlying policy enforcement in ProxySG appliances. For comprehensive information on creating policy, referto the Blue Coat Systems ProxySGAppliance Visual Policy Manager Reference and Advanced Policy Tasks document.

n To launch the VPM editor, clients using Java 7must enable TLS 1.1 and TLS 1.2. In the Java Control Panel, selectAdvanced. Select Use TLS 1.1 and Use TLS 1.2.

Management Center reference topic.

Procedure1. In Management Center—From the left-menu, select Policy.

2. Right-click the required Universal Policy Enforcement object and select Edit.

3. Click Launch VPM Editor. The system displays the VPM Launcher dialog.

4. Select Open with Java(TM) and click OK.

The system launches the VPM.

5. Verify that this VPM has Enforcement Domains enabled (Configuration > Enable Enforcement Domains). Eachlayer that is valid for Universal Policy has aU symbol next to its label.

Perform policy updates, as required, for ProxySG appliances, theWeb Security Service, and Universal.

Tip: If you require assistance with defining and correcting Universal Policy, see "DefineUniversal Policy in the VPM" on page 21.

6. When complete, click Save Policy.

The VPM prompts you to enter a comment for this revision; this is required.

7. Return toManagement Center. For reference, click the Versions tab to see a record of all updates to this UniversalPolicy.

Next Step

n "Validate Univeral Policy" on page 30

https://origin-symwisedownload.symantec.com/resources/webguides/managementcenter/1.8.1.1/ManagementCenter.htm#ConfigurationManagementGuide/9_Troubleshoot/setup_java_to_run_for_VPM.htm

Install Policy toWSS Target/

Install Policy to WSS TargetWith registration and policy validation complete, add theWeb Security Service target to theManagement Center in preparationfor policy push.

Tip: You cannot addWeb Security Service and other devices as targets in the same operationbecause they have different deployment types. Youmust addWeb Security Service devices ina separate operation.

1. If you are not already editing the policy, select Configuration > Policy. From the Policy Objects list, locate theUniversal VPM Policy object and click Edit.

2. Click the Targets tab. To add targets to associate with the selected policy, click Add Targets.

3. Create theWeb Security Service target.

a. Click Add Targets. The system displays the Add Targets dialog.

b. Scroll down to yourWeb Security Service account.

Tip: Still need to add yourWSS portal account? See "AddWSS Account toManagement Center" on page 11.

Select the account and click Next.

c. Given that you selected to edit yourWeb Security Service object, the system defaults toWSS as theDeployment Type; click Finish.

4. Remaining on the Targets tab, click Install To Device.

Management Center pushes the Universal Policy Enforcement configuration up to yourWeb Security Service account.

Next Step

n "Universal Policy: Enforcement Point" on page 33


Validate Univeral PolicyBefore enabling Universal Policy Enforcement, useManagement Center to validate the policy to ensure it is compatible withtraffic processed by your ProxySG appliances and theWeb Security Service.

Validate the Universal PolicyAfter you create a new Universal Policy Enforcement object, perform a validation operation.

1. In Management Center—From the left-menu, select Policy.

2. Right-click the required Universal Policy Enforcement object and select Edit.

3. Click Analyze Policy.

Management Center launches a new browser tab

About the Validation ResultsIn the new tab, Management Center displays the validation results. Use the tabs on this page to analyze the results anddetermine if further refinement is required.

Validate Univeral Policy/

A—The default landing page—Overview tab—displays the immediate validation result. If the result is 100%, your UniversalPolicy Enforcement is ready for installation on ProxySG appliance and theWeb Security Service target.

B—Migration tab—Displays which policy layers apply to which target.

n Applies only to a ProxySGAppliance target.

n Universal applies to all targets.

n Some layers have to Potential to work in theWeb Security Service but might require somemodifications.

C—Policy tab—Similar to theMigration tab, but provides more granular details and rule contents.

D—Dependencies tab—Displays other policy constructs that the Universal Policy Enforcement references.

E—Recommendations tab—Based on the validation results, theManagement Center attempts to provide suggestions toensure universal use.

F—Not Applicable tab—For information, displays any policy that is not applicable in theWeb Security Service. It is not harmfulto leave the policy.

G—WSS tab—For information, displays details about theWeb Security Service.

Consider refining policy to ensure it satisfies both on-premises requirements and employees that have traffic routed through theWeb Security Service. Although the cloud service applies what is appropriate for its user class, refining and validating thepolicy ensures efficiency. If necessary, return to "Refine Universal Policy" on page 28 for information about usingManagementCenter to access the VPM.

As you save your changes, the classifier notes that the data is stale, prompting you to refresh. Click Refresh to update theclassifier to reflect your changes.

When your Universal Policy satisfies your web acceptable use goals and tests as valid, you are ready to install it to theWebSecurity Service (and other ProxySG appliances).

Known Policy Limitationsn Because Locations are aWeb Security Service-specific configuration, it is not possible at this time to define policy that

applies to a specific location (the FromWhere in the Policy Editor).

n You cannot set enforcement domains in CPL.

Next Step

n "Install Policy toWSS Target" on page 32


Install Policy to WSS TargetWith registration and policy validation complete, add theWeb Security Service target to theManagement Center in preparationfor policy push.

Tip: You cannot addWeb Security Service and other devices as targets in the same operationbecause they have different deployment types. Youmust addWeb Security Service devices in aseparate operation.

1. If you are not already editing the policy, select Configuration > Policy. From the Policy Objects list, locate the UniversalVPM Policy object and click Edit.

2. Click the Targets tab. To add targets to associate with the selected policy, click Add Targets.

3. Create theWeb Security Service target.

a. Click Add Targets. The system displays the Add Targets dialog.

b. Scroll down to yourWeb Security Service account.

Tip: Still need to add yourWSS portal account? See "AddWSS Account toManagement Center" on page 11.

Select the account and click Next.

c. Given that you selected to edit yourWeb Security Service object, the system defaults toWSS as theDeployment Type; click Finish.

4. Remaining on the Targets tab, click Install To Device.

Management Center pushes the Universal Policy Enforcement configuration up to yourWeb Security Service account.

Next Step

n "Universal Policy: Enforcement Point" on page 33

Universal Policy: Enforcement Point/

Universal Policy: Enforcement PointAfter usingManagement Center to define and install Universal Policy Enforcement to theWeb Security Service, the portalprovides a location to review policy status and perform a few tasks.

1. Log in to yourWeb Security Service portal account (https://threapulse.com/login.jsp).

2. Navigate to Service mode > Account Maintenance > Enforcement Point.

3. Status: The Active Policy area displays which Universal Policy version your portal account is currently enforcing.

Option—Download CPL

Click Download to retrieve a copy of the current policy in Symantec Content Policy Language format. This allows you toreview specific policy tenants and actions.

Tip: You cannot use theWeb Security Service portal to modify Universal Policy. Youmust useSymantec Management Center to edit and re-install the policy.

Option—Preview Exception Pages

As employees encounter various exceptions—from browse coaching to content denied by policy verdicts—their browsersdisplay exception pages with information about the action taken. Because Universal Policy Enforcement is enabled, theexceptions are served as configured in the reference ProxySG appliance policy; not from theWeb Security Service policyeditor.

Option—De-register the Management Center

In theManagement Center Integration area is the Device Serial Number. This identifier was input by you (or another Admin)who added theWeb Security Service as a device toManagement Center.

This area also includes a Deregister button. Currently, the uses cases to use this option are the following

n Force a credential negotiation between theManagement Center and theWeb Security Service.

n You are switching out or replacing aManagement Center appliance and need to re-register the new one.

https://threapulse.com/login.jsp


WebGuide Update Log

Version 04—April 07, 2020

n Added issue topic for whenWeb Isolation is employed on theWSS.

n SGOS 6.6.x Support in Prerequisites.

Version 03—July 19, 2019

n Side-navigation style.

n SGOS 6.6.x Support in Prerequisites.

Version 02—November 20, 2017

n Following a change to theWeb Security Service, updated theManagement Center device connection procedure with thetoken integration steps.

"AddWSS Account to Management Center" on page 11

Version 01—June 15, 2017

n Initial version.

Virus Scanning is not Working/

Virus Scanning is not WorkingICAP services will be accepted and transformed to use theWSS virus scanning service only if they adhere to the following:

n The ICAP service is configured with Service Type Virus Scanning.

n The ICAP service is configured with Service TypeOther and is named ProxyAV.

Note: Fail open and closed virus scanning behavior will bemaintained inWSS.

Note: A local virus scanner is not required to use the ICAP service. To take advantage ofuniversal policy, configureWSS as the enforcement point for your anti-virus policy.


Connection IssueIf Management Center is not connecting to theWeb Security Service, verify that it is not connecting through a proxy device.

Connection Issue/

Web Isolation IssueTo prevent aWeb Isolation script error, add isolation-instances.wss.prod.fire.glass to the Authentication Policyexemption list

Glossary/

Glossary

B

Batch targetA special target that lets you build and/or publish multiple other targets in a single group (or"batch"). You can schedule batches to run at any time.

Block snippetA snippet that is created out of one or more paragraphs.

C

Condition tagA marker that you can apply to different areas of your content so that some sections show upin some of your outputs but not in others.

Cross-referenceA navigation link that lets you connect text in one topic to another topic (or a bookmark withina topic). Cross-references let you create "automated" links that are based on commands youprovide. This allows you to keep links consistent and change them in just one place by usingthe "xref" style.

D

Drop-down textA feature that lets you collapse content in your topic. The content is expanded (and thereforedisplayed) when the end user clicks a link.

F

FootnoteA comment that is used to explain a specific area of the text. Both the area in the text and thecomment contain a number or symbol that ties the two together. A footnote (or endnote)comment can be placed at the end of a page, document, chapter, section, or book.


S

Single-SourcingReusing content and producing multiple outputs from the same set of source files. Flare letsyou single-source your projects in many ways, using various features. This includes featuressuch as topic-based authoring, conditions, snippets, variables, multiple tables of contents,and more.

SnippetA pre-set chunk of content that you can use in your project over and over. Snippets are similarto variables, but snippets are used for longer chunks of content that you can format just asyou would any other content in your topic. In snippets, you can also insert tables, pictures,and whatever else can be included in a normal topic.

SpanA tag that is used to group inline elements to format them with styles. A span tag doesn'tperform any specific action; it simply holds the attributes (e.g., font size, color, font family)that you apply to inline content.

StyleAn element to which you assign a certain look and/or behavior. You can then apply that styleto your content. Different kinds of styles are available in a stylesheet, to be used for variouspurposes in your content.

T

TableA group of intersecting columns and rows that you can add to a topic for various purposes,such as comparing one thing with another or giving field descriptions for a software dialog.

TargetOne "instance" of an output type. When you build your final output, you are essentiallybuilding one or more of the targets in your project.

Text snippetA snippet that is created out of a portion of one paragraph.

TopicA chunk of information about a particular subject. Topics are the most important part of aproject. Everything else is contained within topics (e.g., hyperlinks, text, pictures) or pointstoward topics (e.g., table of contents, index, browse sequences). The very reason end users

Glossary/

open a Help system is to find information, a little direction. They find that help withinindividual topics.

V

VariableA pre-set term or content that you can use in your project over and over. Variables aresimilar to snippets, but variables are used for brief, non-formatted pieces of content (such asthe name of your company's product or your company's phone number).

X

XML EditorThe window in the Flare interface where you can add content and formatting to elementssuch as topics and snippets.

WebSecurityService UniversalPolicyEnforcement (UPE)Guide · 4/7/2020 · upe-title/Page3 TOC...

Documents

Transcript of WebSecurityService UniversalPolicyEnforcement (UPE)Guide · 4/7/2020 · upe-title/Page3 TOC...