Creating Unique Access Policies for AD Groups

In this use case, we add Outlook Web Access (OWA) resources to the SMA appliance and need to configure the access policies for users in multiple Active Directory (AD) groups. We create a local group for each AD group and apply separate access policies to each local group.

While Active Directory allows users to be members in multiple groups, the SMA appliance only allows each user to belong to a single group. It is this group that determines the access policies assigned to the user.

When importing a user from AD, the user is placed into the local Secure Mobile Access group with which they have the most AD groups in common. For example: Bob belongs to the Users, Administrators, and Engineering AD groups. If one Secure Mobile Access group is associated with Users, and another is associated with both Administrators and Engineering, Bob is assigned to the Secure Mobile Access group with both Administrators and Engineering because it matches more of his own AD groups.

The goal of this use case is to show that Secure Mobile Access firmware supports group-based access policies by configuring the following:

• Allow Acme Group in Active Directory to access the 10.200.1.102 server using SSH
• Allow Mega Group in Active Directory to access Outlook Web Access (OWA) at 10.200.1.10
• Allow IT Group in Active Directory to access both SSH and OWA resources defined previously
• Deny access to these resources to all other groups

This example configuration is provided courtesy of Vincent Cai, June 2008.

Network Topology

Perform the tasks in order of the following sections:

• Creating the Active Directory Domain
• Adding a Global Deny All Policy
• Creating Local Groups
• Adding the SSHv2 PERMIT Policy
• Adding the OWA PERMIT Policies
• Verifying the Access Policy Configuration