Forward Specific User and Group Names to the Service

By default, the Auth Connector returns all group and usernames that are contained in your LDAP deployment to the Symantec Web Security Service for use in custom policy creation. This might not be practical for an enterprise network that contains multiple user groups and large volumes of users. Sending that much information might cause Auth Connector resource constraints. Symantec recommends performing this before installing the Auth Connector.

For large LDAP deployments, Symantec recommends selecting all users, but decide which groups require policy and forward only those to the Web Security Service. For example, you have domains named HQ-QA, HQ-SALES, and HQ-OPERATIONS and only users in the HQ-SALES domain require policy checks.

The bcca.ini file, which is part of the Auth Connector application, contains [Groups] and [Users] sections. You can add entries to one, either, or both:

  • If the [Groups] and [Users] sections are empty, the WSS receives traffic from all domains and users.
  • If the [Groups] section contains a domain entry (for example, HQ-SALES\), then all groups within that domain send traffic to the cloud service.
  • To further narrow the scope with domains, add group names. For example: HQ-SALES\RegionA.
  • The Users section functions in the same manner. Add specific users to even further limit whose traffic is sent to the cloud services. For example: HQ-SALES\thomas.hardy.

Note: To prevent a full transmission of all user and group names, do not open the firewall for outbound 443/tcp from the Auth Connector before you complete this task.

Procedure

This process to add domains, users, and groups is manual.

  1. Access the server that has the Auth Connector application.
  2. Using a text editor, open the bcca.ini file. If you installed the Auth Connector in the default directory, find it in: C:\Program Files\Blue Coat Systems\BCCA\.
  3. Locate the [Groups] and [Users] sections and add entries. You must use the same letter cases that match what is in the Active Directory. Add one entry per line. For example:

    [Groups]

    HQ-SALES\NAWest

    HQ-SALES\NANorthWest

    [Users]

    HQ-SALES\Administrator

  4. Save the file.
  5. Allow the service to process some traffic, then check various reports to verify that you are receiving traffic from the specified groups/users.