User Guide
128
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE
If they do not match, the Web Proxy compares the client request to the next Identity group. It
continues this process until it matches the client request to a user defined Identity group, or if
it does not match a user defined Identity group, it matches the global Identity policy. When
the Web Proxy matches the client request to an Identity group or the global Identity policy, it
assigns the Identity group to the transaction.
If at any time during the comparison process the user fails authentication, the Web Proxy
terminates the request. For more information about how authentication works with Identity
groups, see “How Authentication Affects Identity Groups” on page 128.
After the Web Proxy assigns an Identity to a client request, it evaluates the request against the
other policy group types. For more information, see the following locations:
• “Evaluating Access Policy Group Membership” on page 152
• “Evaluating Decryption Policy Group Membership” on page 201
• “Evaluating Routing Policy Group Membership” on page 173
• “Evaluating Data Security and External DLP Policy Group Membership” on page 219
How Authentication Affects Identity Groups
Requiring authentication for users can help your organization control access to the web for
groups of users. AsyncOS allows you to create multiple Identity groups and define the
membership criteria based on authentication requirements.
When authentication is required for an Identity group, a gold key icon appears next to the
Identity group name in the Policies table, as shown in Figure 7-1.
Figure 7-1 Identity Groups that Require Authentication
To define authentication requirements for an Identity group, you can choose an
authentication realm or sequence that applies to the Identity group.
Note — You can specify the authorized users when you use the Identity in a non-Identity
policy group.