User Guide

EXAMPLE 2
CHAPTER 7: IDENTITIES 147
In this scenario, when a client sends a request for a URL, the Web Proxy evaluates the first
Identity group and determines that the Identity group applies to all subnets and has no
advanced options configured. It determines that the Identity group requires authentication
and that the only realm specified in the Identity group is RealmA. Therefore, in order for a
client on any subnet to pass authentication, it must exist in RealmA.
When a client that exists in RealmA sends a request for a URL, the client passes
authentication and the Web Proxy assigns the first Identity group to the transaction. When a
client that does not exist in RealmA sends a request for a URL, the client fails authentication
and the Web Proxy terminates the request.
Note that when a client in RealmB sends a request for a URL, the Web Proxy does not match
the client request with the second Identity group. This is because a previous Identity group
already applies to the same subnets (and the exact same advanced options, which in this
example is none) in the second Identity group and it requires authentication, but from
RealmA instead. Clients in RealmB do not “fall through” to the second Identity group.
If you want users in RealmB to have different Access, Decryption, and Routing Policy settings
applied to them than users in RealmA, perform the following steps:
1. Create an authentication sequence that contains both RealmA and RealmB. You can
choose the order of the realms in the sequence depending on your business needs.
2. Create one Identity group and configure it for whichever subnets on which users in
RealmA and RealmB might exist. In this example, you would configure the Identity group
for all subnets.
3. Configure the Identity group to use the sequence you defined in step 1.
4. Create two user defined policy groups of the same type, such as Access Policies, and
configure them both to use the Identity group with the authentication sequence you
defined in step 3.
5. Configure the first policy group to only apply to users in one realm, such as RealmA. You
can do this by specifying a particular realm in the sequence, or by using authentication
groups, or entering specific usernames.
6. Configure the second policy group to only apply to users in the other realm, such as
RealmB. You can do this by specifying a particular realm in the sequence, or by using
authentication groups, or entering specific usernames.
Global Identity
policy
All Yes All Realms N/A (none by
default)
Table 7-4 Policies Table Example 2 (Continued)
Order Subnet(s) Authentication
Required?
Realm or
Sequence
Advanced
Options