2.1.11 Symantec ProxySG
We always recommend a system administrator defer to the vendor’s official documentation on credential creation. Please follow the vendor’s instructions for configuring the device for access with an ssh key, and then use the Indeni WebGUI to store the Private key in the relevant Credential Profile.
The Blue Coat proxy running SGOS uses the default User ID of admin to access the GUI and SSH CLI of the box. The password of admin is setup during the time of install.
All other Users and Groups are created in either the CLI for the local realm or through other authentication realms (ex. Radius, Window Domain, IWA, SAML, etc.). Indeni does not run any commands that modify the configuration of the device. However, read-write access is required in order to avoid the device from blocking some of the use of the commands by Indeni.
Local Authentication Realm
- Login to the web-based Management Console.
- Browse to the Configuration Tab > Authentication > Local
- Click New, located In the Local Realms tab.
- Enter a name for the Local Realm. For this example, “Local” will be used as the Realm Name.
- Click the Local Main tab. Make note of the Local User List name, as it will be necessary in the next section.
- Click Apply.
Creating Users and Groups
- Log in to the CLI and enter enable and Configuration Terminal Mode.
- At the (config) prompt, type: “security local-user-list edit local_user_database“
- Add a Group with the following command: “group create users”
Optional: Add another group with the following command: “group create administrators“
- Create User Accounts with the following command: “user create user1“
- Type the following to edit the User Account and define the Password and User Group details for the User Account: “user edit new_user“
- Create a password for the account by entering: password 1234 (Replace 1234 with an appropriate password)
Optional: Associate this user account with a Local User Group with the command: “group add administrators“. Repeat this process for all local user accounts you want to create.
Policy Controlled Admin Access
You can use the policy rules to control administrator access to the management console and to the CLI.
Using policy rules, you can require administrators to identify themselves by entering a username and password and specify whether read-only or read-write access is given. You can make this policy contingent on IP address, user name, group membership (if credentials were required), and many other conditions.
This solution assumes you have already configured users and groups for authentication using RADIUS, LDAP, Microsoft Active Directory, or other authentication servers, and created a realm on the ProxySG to connect to these servers.
Please see the below to create a policy for ProxySG administrator access:
- Launch the Visual Policy Manager.
- Create an Admin Authentication layer. Policy > Add Admin Authentication Layer.
- In the Admin Authentication layer, specify the Authentication Realm that will be used to authenticate administrative users of the ProxySG.
- Right-click in the Action column and choose Set. Select New > Authenticate.
- Select the authentication mode and realm. (See ProxySG Authentication Modes)
- Close the dialogs.
- Create an Admin Access layer. Policy > Add Admin Access Layer.
- In the Admin Access layer, define who is allowed to access the ProxySG:
a. Right-click in the Source column and choose Set.
b. Select New.
c. Select the entity (for example, Client IP Address/Subnet, User, Group) and configure the specifics.
d. Close the dialogs.
- Specify the type of Administrator Read/Write Access:
a. Right-click the Action column and select Allow Read-only
b. Access or Allow Read/Write Access.
c. By default, the policy applies to any service (HTTP/HTTPS in the Management Console and SSL in the CLI).Do the following if you want to control access to just the Management Console or the CLI:
a. Right-click in the Service column and choose Set.
b. Select New > Service Name.
c. Select the service you want the rule to apply to (HTTP-Console, HTTPS- Console, or SSH-Console).
d. Close the dialog
- Install the policy.