Access Control tab
Use the Access Control tab to configure how your end users are identified by the cloud service. You can configure multiple authentication or identification options for your users if required.
The cloud service works “out of the box” for many organizations. A single policy applied to an organization’s web traffic provides protection from malware and inappropriate content. However, most customers want to tailor the service to align it with their Internet acceptable use policy, which may require granular configuration on a per-user and per-group basis, with different users or groups assigned to specific policies. Often, organizations want to report on the surfing habits of their employees. These use cases require the service to identify specific users in order to apply the correct policy, and to log user actions for reporting purposes.
There are a number of events that can lead to an end user being asked to authenticate:
- The user is connecting from an IP address configured as a proxied connection in one of your policies, and the policy has the Always authenticate users option enabled on the Access Control tab.
- The user is accessing a website within a category that has an action of Require user authentication. You configure this within the category itself.
- The user is attempting to access a website for which there is a group or user exception. At this point, the cloud service needs to find out who the user is in order to determine whether the exception applies.
- The end user connects from an unknown IP address, so is considered a remote user.
When a request is made from an unknown IP address, users are served a notification page asking them to authenticate. Because the cloud service does not know who the users are at this time, the notification page is a generic service-wide page. See Roaming home page for further information.