Configuring A Cloud Access Rule

When you add or edit a cloud access rule from the Cloud Access Rules screen, a new screen opens, where you can specify the settings for the rule.

  1. Configure the basic rule information:

    Item

    Setting

    Rule name

    Specify a unique name for the cloud access rule.

    Description

    (Optional) Meaningful description to easily identify the cloud access rule.

    Enable

    Click On or Off to enable or disable the cloud access rule.

    If you no longer need a cloud access rule, delete it, instead of setting Enable to Off.

  2. In the Users / Groups section, select the users, user groups, or IP address groups that the cloud access rule applies to.

    Options include:

    • All: All users and groups created on or synchronized to the management console

    • Selected users/user groups: Specific users or user groups from those configured on the Hosted Users screen and synchronized from your organization's Active Directory servers

      Exclude the following users or user groups: (Optional) Those among the selected users or user groups to be excluded from the rule

      Note:

      User groups are displayed in bold.

    • Selected IP address groups: Specific IP address groups from those configured on the IP Address Groups screen.

      (Optional) Click Add IP Address Group to create a new IP address group on the current screen. For more information, see Configuring An IP Address Group.

      Important:

      If you want to apply cloud access rules based on IP addresses rather than user accounts of certain users, create IP address groups to include these IP addresses as necessary, and then add the groups to Bypass authentication under the User Authentication settings of the corresponding virtual gateway.

      Exclude the following IP address groups: (Optional) Those among the selected IP address groups to be excluded from the rule

  3. In the Target Domains section, select the domains that the cloud access rule applies to. TMWS will scan and control users' web traffic toward these domains.

    Options include:

    • All: Any domain that a user requests to access

    • Selected target domain groups: Specific domains from the target domain groups configured on the Target Domain Groups screen.

      (Optional) Click Add Target Domain Group to create a new target domain group on the current screen. For more information, see Configuring A Target Domain Group.

      Exclude the following target domain groups: (Optional) Those among the selected target domain groups to be excluded from the rule

  4. In the Gateways section, select the gateways that the cloud access rule applies to. You can select all gateways, specific ones from those configured on the Gateways screen, or roaming users as necessary.
  5. In the Traffic Types section, select the application categories, URL categories, and cloud applications that the cloud access rule applies to.

    Options include:

    • All: All application categories, URL categories, and cloud applications predefined by Trend Micro

    • Selected application categories and URL categories: Specific application categories or URL categories from the lists predefined by Trend Micro or customized by the administrator

      For details about the predefined application categories and URL categories, see Application Category Groups and URL Filtering Category Groups.

      (Optional) Click Add Customized URL Category to specify new URL categories that are not part of the Trend Micro predefined URL categories. For more information, see Configuring A Customized URL Category.

      If application categories and URL categories are selected at the same time, the cloud access rule applies when user traffic matches any of the selected categories.

    • Selected cloud applications: Cloud applications preconfigured in the cloud application access sets

      For details about the cloud application access sets, see Cloud Application Access Sets.

      (Optional) Click Add Cloud Application Access Set to group a new set of cloud applications to apply the cloud access rule to. For more information, see Configuring A Cloud Application Access Set.

  6. In the Cloud Services section, select the cloud service filters that the cloud access rule applies to.
    Note:

    This feature is not available for the Standard license.

    (Optional) Click Add Cloud Service Filter to specify a new cloud service filter to add here. For more information, see Configuring A Cloud Service Filter.

    TMWS takes the actions configured in the selected cloud service filters on the matched web traffic, which means to modify the headers of the request HTTP messages, only when the web traffic is not blocked by the current cloud access rule and the Threat Protection template and Data Loss Prevention profile configured in this cloud access rule.

    Note:

    Use special caution in configuring cloud service filters because changing HTTP headers may affect the proper display of users' HTTP requests.

  7. In the Content Types section, select or type the MIME content types, file names, or true file types that the cloud access rule applies to.

    You can identify the types of content or files to block for security, monitoring, or performance purposes. Blocked content and files are not received by the requesting client or scanned - requests to retrieve a blocked file type are not executed. You have the option of blocking file types such as Microsoft Office documents, images, executables, audio/video files, Java applets, archives, or other files types that you specify. Options include:

    MIME Content Types: Scans specific MIME content-type files.

    File Names: Scans the files whose file name contains one or several of the configured strings, regardless of the file name extension.

    Note:

    In File Names, wildcards are supported.

    True File Types: Examines the file header rather than the file name to ascertain the actual file type. This prevents users from trying to bypass the scan engines by changing the file extension or by some other form of file manipulation.

    If MIME Content Types, File Names, and True File Types are configured at the same time, the cloud access rule applies when user traffic matches any of the configured types.

    Here are three examples to explain how Traffic Types and Content Types work in a cloud access rule:

    • Example 1: If you want to block all webmail related content, select Webmail in Traffic Types > Selected application categories and URL categories > Application Categories and All in Content Types.

    • Example 2: If you want to block images in GIF format on Bing, select Bing in Traffic Types > Selected application categories and URL categories > Application Categories > Web and GIF in Content Types > True File Types > Images.

    • Example 3: If you want to block documents in PDF format in the cloud applications configured in a cloud application access set, select the set in Traffic Types > Selected cloud applications and PDF in Content Types > True File Types > Documents.

  8. In the Schedule section, select the day and time to enforce the cloud access rule. You can enforce the rule all the time, or on certain days of the week and hours of the day.
  9. In the Action section, select an action on the content configured in the cloud access rule.

    Options include:

    • Allow: The content that matches the cloud access rule will be further processed through the selected security templates before users can actually access it.

    • Block:

      • Block with no more actions: Users cannot access the content that matches the cloud access rule.

      • Enable warning: Users see a warning page when attempting to access specific content that matches the cloud access rule. If users choose to continue, the content will be further processed through the selected security templates before users can actually access it.

      • Enable password override: The content that matches the cloud access rule will be further processed through the selected security templates if users correctly type the password configured here.

        1. Type a password in the Password text box. To ensure that you set the password correctly, select the Show password check box.

        2. Inform the users of the password. When specific content matches the cloud access rule, TMWS shows a blocking page, where users can type the password.

  10. In the Security Templates section, select the Threat Protection template and Data Loss Prevention profile to use in the cloud access rule as necessary. All configured Threat Protection templates and Data Loss Prevention profiles are displayed. For more information, see Threat Protection and Data Loss Prevention.
    Note:

    Whether users can access the content depends on the actions configured in the selected security templates.

    This section does not appear when Block with no more actions is selected in the Action section because in this case, data traffic that matches the cloud access rule is directly blocked and no security template requires to be enforced.

  11. Click Save.