Creating Unique Access Policies for AD Groups
In this use case, we add Outlook Web Access (OWA) resources to the SMA appliance and need to configure the access policies for users in multiple Active Directory (AD) groups. We create a local group for each AD group and apply separate access policies to each local group.
While Active Directory allows users to be members in multiple groups, the SMA appliance only allows each user to belong to a single group. It is this group that determines the access policies assigned to the user.
When importing a user from AD, the user is placed into the local Secure Mobile Access group with which they have the most AD groups in common. For example: Bob belongs to the Users, Administrators, and Engineering AD groups. If one Secure Mobile Access group is associated with Users, and another is associated with both Administrators and Engineering, Bob is assigned to the Secure Mobile Access group with both Administrators and Engineering because it matches more of his own AD groups.
The goal of this use case is to show that Secure Mobile Access firmware supports group-based access policies by configuring the following:
- Allow Acme Group in Active Directory to access the 10.200.1.102 server using SSH
- Allow Mega Group in Active Directory to access Outlook Web Access (OWA) at 10.200.1.10
- Allow IT Group in Active Directory to access both SSH and OWA resources defined previously
- Deny access to these resources to all other groups
This example configuration is provided courtesy of Vincent Cai, June 2008.
Perform the tasks in order of the following sections:
Was This Article Helpful?
Help us to improve our support portal