Policy Enforcement Overview

TMWS integrates with a variety of powerful Trend Micro security filtering engines and technologies, and provides customizable policies to scan web traffic coming in and out of your organization after users are successfully authenticated. This helps protect your network from advanced persistent threats and emerging unknown threats.

Under the Policies screen, you can:

  • In Global Settings, set options that apply to all users throughout your organization, including HTTPS inspection and Safe Search Engines.

  • In Approved/Blocked URLs, add URLs to approved or blocked list to allow the corresponding websites or domains to override the settings in cloud access rules.

  • In OBJECTS, customize URL categories that are not contained in Trend Micro predefined URL categories and you want to scan in cloud access rules and HTTPS decryption rules; specify IP address groups to organize users by IP address to authenticate them on the TMWS gateway, apply cloud access rules to them, and generate reports for them; define cloud service filters to control employee use of cloud services; add cloud application access sets for cloud application access control, and target domain groups for target domain access control.

  • In SECURITY TEMPLATES, define Threat Protection templates to configure policies for Web Reputation Services, file scanning, malware detection, Predictive Machine Learning, and Cloud Virtual Analyzer, and create Data Loss Prevention profiles to include Trend Micro predefined compliance templates. These security templates can be added in cloud access rules to accommodate various scenarios.

  • In Cloud Access Rules, create cloud access rules to incorporate security templates to scan and inspect certain traffic types or content types toward targeted domains for specific users or groups or IP addresses on specific TMWS gateways.

  • In HTTPS Inspection, configure decryption rules and manage digital certificates to complete SSL handshake processes and decrypt HTTPS web traffic for security risk scanning.

The following describes a simplified policy enforcement process:

  1. The client web browser sends an HTTP connection request, which is forwarded to the TMWS gateway.

  2. TMWS authenticates the user based on the user type and the authentication method configured on the gateway.

  3. If the user authentication fails, the process ends. If the user authentication passes, TMWS checks whether the HTTP URL is in the approved or blocked URL list.

    1. If it is in the approved list, TMWS forwards the request to the web server and sends the secure content back to the user.

    2. If it is in the blocked list, the request is blocked and a notification page is displayed for the user.

  4. If the URL is not in either list, TMWS uses the cloud access rule, which matches the user and gateway and has a higher priority when there are more than one eligible rule, to check whether the HTTP request is allowed.

  5. If the request violates a security setting in the rule, it is blocked and a notification page is displayed for the user. If the request is allowed, TMWS forwards the request to the web server.

  6. When incoming web traffic arrives at the TMWS gateway, TMWS uses the cloud access rule to inspect the real content again.

  7. If the content violates a security policy setting, it is blocked and a notification page is displayed for the user. If the content is secure, TMWS sends it back to the client web browser.

If the client web browser sends an HTTPS connection request,

  1. TMWS determines whether to allow or block the request by using the approved/blocked URL lists, as well as the application categories and URL categories in a matching cloud access rule.

  2. If the request is allowed, TMWS forwards the request to the web server and receives the real HTTPS content.

  3. If HTTPS inspection is enabled, TMWS uses a decryption rule to decrypt the HTTPS content.

  4. If the decryption fails because of certain reason, for example, the server certificate does not pass the certificate validation test, the HTTPS request is blocked and a notification page is displayed for the user. If the decryption succeeds, TMWS applies the configured policies in the same way as an HTTP request for subsequent inspection.