Administration Guide 101
Configuring Resources for a User Group
• Deny rules take precedence over allow rules. This enables you to allow access to a range of resources
and to also deny access to selected resources within that range. For example, you might want to allow
a group access to a resource group that includes 10.20.10.0/24, but need to deny that user group
access to 10.20.10.30. To handle this, you create two network resources; one that includes the
10.20.10.0/24 subnet and a group that includes 10.20.10.30. Access to that resource is denied unless
you specifically allow it.
To add a network resource to a group
1 On the Access Policy Manager tab, in the right-pane, under Network Resources, click the resource
you want to add and then drag it to the user group in the left pane.
2 To allow or deny access, right-click the network resource and then click Allow or Deny.
To remove a network resource
1 Click the Access Policy Manager tab.
2 In the right pane, under Network Resources, right-click the resource group you want to remove.
3 Click Remove.
Application policies
Application policies put constraints on the network path applications can access. For example, a user is
using Microsoft Outlook 2003 for corporate email. You can configure the application to use a specific
network resource to the Microsoft Exchange Server. When the network resource is defined, when Out-
look tries to start, it checks for the network resource and end point policy (if defined). If it passes, the
user can log on and check email. If it fails, Outlook does not start.
If the application is open before connecting to the Firebox SSL VPN Gateway, the application remains
open; however, the policies take effect and the user cannot use the application.
If an application policy does not have a network resource or end point policy configured, and if the
checkbox Deny applications without policies is selected on the General tab of the group properties,
the application is denied access to the network.
To configure an application policy
1 Click the Access Policy Manager tab.
2 In the right pane, right-click Application Policies and then click New Application Policy.
3 In Application, type the name of the application or click Browse to navigate to the application.
The MD5 field is populated automatically with the binary sum of the application.
4 To restrict the application to specific networks or require an end point policy, under Application
Constraints do one or both of the following:
• To add a network resource to the application policy, under Network Resources, click the
resource and drag it to Application Network Policies.
• To add an end point policy to the application policy, under End Point Policies, click the policy
and drag it to Application End Point Policies.
5 Click OK.
When a user disconnects from the Firebox SSL VPN Gateway, any applications that are open can be
closed automatically.