Adding Group Policies

With group access policies, all traffic is allowed by default. Additional allow and deny policies could be created by destination address or address range and by service type.

The most specific policy takes precedence over less specific policies. For example, a policy that applies to only one IP address has priority over a policy that applies to a range of IP addresses. If there are two policies that apply to a single IP address, then a policy for a specific service (for example RDP) takes precedence over a policy that applies to all services.

User policies take precedence over group policies and group policies take precedence over global policies, regardless of the policy definition. A user policy that allows access to all IP addresses takes precedence over a group policy that denies access to a single IP address.

To define group access policies

1. Navigate to Users > Local Groups.
2. Click the Configure icon next to the group you want to configure.
3. In the Edit Local Group page, select the Policies page.

4. On the Policies page, click Add Policy. The Add User Policy screen is displayed.

   

5. Define a name for the policy in the Policy Name field.

6. In the Apply Policy To drop-down menu, select whether the policy is applied to an individual host, a range of addresses, all addresses, a network object, a server path, or a URL object. You can also select an individual IPv6 host, a range of IPv6 addresses, or all IPv6 addresses. The Add Policy window changes depending on what type of object you select in the Apply Policy To drop-down menu.

   • IP Address – If your policy applies to a specific host, enter the IP address of the local host machine in the IP Address field. Optionally enter a port range (80-443) or a single port number into the Port Range/Port Number field.
   • IP Network – If your policy applies to a range of addresses, enter the beginning IP address in the IP Network Address field and the subnet mask that defines the IP address range in the Subnet Mask field. Optionally enter a port range (4100-4200) or a single port number into the Port Range/Port Number field.
   • Network Object – If your policy applies to a predefined network object, select the name of the object from the Network Object drop-down menu. A port or port range can be specified when defining a Network Object.
   • Server Path – If your policy applies to a server path, select one of the following radio buttons in the Resource field:
     • Share (Server path) – When you select this option, type the path into the Server Path field.
     • Network (Domain list)
     • Servers (Computer list)
   • URL Object – If your policy applies to a predefined URL object, type the URL into the URL field.
   • All IPv6 Address – If your policy applies to all IPv6 addresses, you do not need to enter any IP address information.
   • IPv6 Address – If your policy applies to a specific host, enter the IPv6 address of the local host machine in the IPv6 Address field. Optionally enter a port range (for example, 4100-4200) or a single port number into the Port Range/Port Number field.
   • IPv6 Network – If your policy applies to a range of addresses, enter the beginning IPv6 address in the IPv6 Network Address field and the prefix that defines the IPv6 address range in the IPv6 Prefix field. Optionally enter a port range (for example, 4100-4200) or a single port number into the Port Range/Port Number field.
7. Select the desired Protocol. The available value options in the Protocol field include TCP, UDP, ICMP, and ALL. You can select multiple items among TCP, UDP, and ICMP. However, when ALL is selected, all other options are deselected.
8. Select the service type in the Service menu. If you are applying a policy to a network object, the service type is defined in the network object.
9. Select Allow or Deny from the Status drop-down menu to either permit or deny SMA connections for the specified service and host machine.
10. Click Accept to update the configuration. After the configuration has been updated, the new group policy is displayed in the Edit Local Group window. The group policies are displayed in the Group Policies list in the order of priority, from the highest priority policy to the lowest priority policy.