Rules
A Rule defines how USP Server authenticates partner connections, manages credentials during the proxying process, and optionally applies in-line content scanning using an ICAP server. More specifically, a Rule defines:
- The authentication method required for external incoming connections (e.g., password or public key).
- The authentication source used to verify the credentials provided by the external partner (e.g., LDAP or Account Repository).
- The credential source used to authenticate outbound connections to internal targets.
- An optional ICAP Scanner used to inspect file content before it is forwarded to the internal target.
Rules sit between Inbound Nodes and Outbound Nodes, defining how credentials are handled as connections traverse the proxy boundary.
Before You Begin
Authentication
Authentication within a Rule is defined by three settings:
| Setting | Description |
|---|---|
| Inbound Authentication Method | Used to inform the inbound client what authentication methods are expected, regardless of whether single or double authentication is performed. |
| Inbound Authentication Source | Determines whether USP authenticates inbound connections. When authentication is enabled, USP validates the credentials against the selected source: either an internal Account Repository or an external LDAP directory. |
| Outbound Credential Source | Specifies the credentials USP must use when authenticating to the internal target. These can either be the same credentials provided by the inbound client (passthrough) or a dedicated set of credentials. |
These three authentication settings work together to determine how USP authenticates the external partner on the inbound connection and how it then authenticates to the internal target on the outbound connection.
However, supported authentication methods and valid combinations vary depending on the protocol. Not all protocols support the same inbound methods, identity sources, or outbound credential scenarios.
For a complete reference of valid protocol-specific combinations, see Rules Possible Configuration Scenarios.
Inbound Authentication Methods
The Inbound Authentication Methods field defines how the USP Server authenticates partner connections before forwarding them to the internal target.
- FTP(S)
- HTTP(S)
- SFTP
FTP(S) supports only a single authentication method:
- Basic: The partner authenticates using a username and password sent over the protocol's standard FTP(S) authentication commands.
Because only Basic authentication is available for FTP(S), the USP Admin UI does not display a field for selecting the Inbound Authentication Methods. However, partners must still provide valid credentials when connecting.
The available options for HTTP(S) are:
- Basic (Password): The partner authenticates using an HTTP
Authorization: Basicheader, which USP validates against the configured Inbound Authentication Source (Account Repository or LDAP). - None: No protocol-layer authentication. The connection may still be protected by TLS.
Use None for testing or trusted internal networks, and Basic for user-level authentication where credential validation is required.
The available options for SFTP are:
- Password: Only password-based authentication is accepted.
- Public Key: Only SSH key-based authentication is accepted.
- Password or Public Key: Either password-based or SSH key-based authentication is accepted.
- Password and Public Key: Both password-based and SSH key-based authentication are required.
For the Inbound Authentication Methods, choose Password for simplicity, Public Key for enhanced security, Password or Public Key for flexibility, or Password and Public Key for maximum protection through multi-factor authentication. Your specific environment's security requirements and risk profile should guide your authentication method selection.
Inbound Authentication Source
This setting determines whether USP validates inbound partner credentials, and, if validation is enabled, where those credentials are checked.
Use the Authentication at the Proxy toggle to enable or disable inbound authentication:
- Disabled: USP does not authenticate inbound connections.
- Enabled: Inbound connections are authenticated in the proxy. Therefore, you must specify an authentication source, either:
- Account Repository: Validates credentials against a local repository.
- LDAP: Validates credentials via an LDAP server (only supports password authentication).
- To use Account Repository authentication, you must first create so it can be selected from the Account Repository dropdown.
- To use LDAP authentication, you must first create an LDAP Query and an LDAP Connection.
Outbound Authentication Source
This option defines how the USP Server obtains credentials for outbound connections to internal targets. While it supports reusing inbound credentials, it also allows the configuration of dedicated outbound credentials. Dedicated outbound credentials allow you to separate how clients authenticate to USP (inbound) from how USP authenticates to internal targets (outbound).
The available options are:
- Passthrough Credentials: Uses the same username and password supplied by the client during inbound authentication for the outbound connection to the internal target.
- Dedicated Credentials: Uses a predefined username and password specified in the Rule configuration. This method is typically used when the USP Server authenticates to internal systems using a shared or service-specific account.
ICAP Scanning
To enable in-line file inspection, a Rule can be configured to use an ICAP Scanner. When associated with a Rule, the ICAP Scanner is applied to all file transfers matched by that Rule, allowing content to be scanned before it reaches the USP Server instance.
An ICAP Scanner must be associated with a Rule for ICAP scanning to be operational. The same ICAP Scanner can be reused across multiple Rules to enforce consistent scanning policies throughout your deployment.
Rule Administration via USP Admin UI
Adding a Rule
To add a Rule, follow these steps:
- From the Sidebar, click Configuration > Rules.
- Click the protocol card you want.
- Click Add Rule.
- Complete the details for the new Rule using the Field Descriptions table as a guide.
- Click Save.
Field Descriptions
Some fields and options dynamically appear or hide based on your selections in related fields.
- FTP(S)
- HTTP(S)
- SFTP
| Name | Description | Specifications | Required |
|---|---|---|---|
| Name | The name of the Rule. | Must be unique. | Yes |
| Description | The description of the Rule. | No | |
| Inbound Authentication Methods | The authentication method that the Inbound Node uses. Options:
| Default value: Basic | Yes |
| Authentication at the Proxy | Enables or disables inbound authentication. | Yes | |
| Inbound Authentication Source | The source from which inbound credentials are validated. Options:
| Yes, if Authentication at the Proxy is enabled. | |
| Account Repository | The account collection to use for inbound credentials authentication. | Must reference an already-created Account Repository. | Yes, if Inbound Authentication Source is Account Repository. |
| LDAP Query | The LDAP Query used for inbound credentials authentication. | Must reference an already-created LDAP Query. | Yes, if Inbound Authentication Source is LDAP. |
| LDAP Connection | The LDAP Connection used for inbound credentials authentication. | Must reference an already-created LDAP Connection. | Yes, if Inbound Authentication Source is LDAP. |
| Outbound Authentication Source | The source of credentials for outbound connections to internal targets. Options:
| Yes | |
| Outbound Username | Username for the internal target. | Yes, if Outbound Authentication Source is Dedicated Credentials. | |
| Outbound Password | Password for the internal target. | Yes, if Outbound Authentication Source is Dedicated Credentials, at least one of the following must be provided: Outbound Password or Private Key for Outbound Connection. | |
| ICAP Scanner | The ICAP Scanner used to inspect file content during in-line transfers. | Must reference an already-created ICAP Scanner. | No |
| Name | Description | Specifications | Required |
|---|---|---|---|
| Name | The name of the Rule. | Must be unique. | Yes |
| Description | The description of the Rule. | No | |
| Inbound Authentication Methods | The authentication method that the Inbound Node uses. Options:
| Default value: Basic | Yes |
| Authentication at the Proxy | Enables or disables inbound authentication. | Yes | |
| Inbound Authentication Source | The source from which inbound credentials are validated. Options:
| Yes, if Authentication at the Proxy is enabled. | |
| Account Repository | The account collection to use for inbound credentials authentication. | Must reference an already-created Account Repository. | Yes, if Inbound Authentication Source is Account Repository. |
| LDAP Query | The LDAP Query used for inbound credentials authentication. | Must reference an already-created LDAP Query. | Yes, if Inbound Authentication Source is LDAP. |
| LDAP Connection | The LDAP Connection used for inbound credentials authentication. | Must reference an already-created LDAP Connection. | Yes, if Inbound Authentication Source is LDAP. |
| Outbound Authentication Source | The source of credentials for outbound connections to internal targets. Options:
| Yes | |
| Outbound Username | Username for the internal target. | Yes, if Outbound Authentication Source is Dedicated Credentials. | |
| Outbound Password | Password for the internal target. | Yes, if Outbound Authentication Source is Dedicated Credentials, at least one of the following must be provided: Outbound Password or Private Key for Outbound Connection. | |
| ICAP Scanner | The ICAP Scanner used to inspect file content during in-line transfers. | Must reference an already-created ICAP Scanner. | No |
| Name | Description | Specifications | Required |
|---|---|---|---|
| Name | The name of the Rule. | Must be unique. | Yes |
| Description | The description of the Rule. | No | |
| Inbound Authentication Methods | The authentication method that the Inbound Node uses. Options:
| Yes | |
| Authentication at the Proxy | Enables or disables inbound authentication. | Yes | |
| Inbound Authentication Source | The source from which inbound credentials are validated. Options:
| Yes, if Authentication at the Proxy is enabled. | |
| Account Repository | The account collection to use for inbound credentials authentication. | Must reference an already-created Account Repository. | Yes, if Inbound Authentication Source is Account Repository. |
| LDAP Query | The LDAP Query used for inbound credentials authentication. | Must reference an already-created LDAP Query. | Yes, if Inbound Authentication Source is LDAP. |
| LDAP Connection | The LDAP Connection used for inbound credentials authentication. | Must reference an already-created LDAP Connection. | Yes, if Inbound Authentication Source is LDAP. |
| Outbound Authentication Source | The source of credentials for outbound connections to internal targets. Options:
| Yes | |
| Outbound Username | Username for the internal target. | Yes, if Outbound Authentication Source is Dedicated Credentials. | |
| Outbound Password | Password for the internal target. | Yes, if Outbound Authentication Source is Dedicated Credentials, at least one of the following must be provided: Outbound Password or Private Key for Outbound Connection. | |
| Private Key for Outbound Connection | The Private Key used to authenticate with the internal target. | Must reference an already-created Private Key. | Yes, if Outbound Authentication Source is Dedicated Credentials, at least one of the following must be provided: Outbound Password or Private Key for Outbound Connection. |
| ICAP Scanner | The ICAP Scanner used to inspect file content during in-line transfers. | Must reference an already-created ICAP Scanner. | No |
Editing a Rule
To edit a Rule, follow these steps:
- From the Sidebar, click Configuration > Rules.
- Click the row of the Rule you want to edit.
- Click the Edit button above the Rule details.
- Edit the details of the Rule using the Field Descriptions table above as a guide.
- Click Save.
If you modify a Rule that is currently in use by a USP Server instance, the changes will not take effect until you manually apply the updated configuration by pushing it to the server. To apply the changes:
- Navigate to Monitoring > Status.
- Click the Name of the associated USP Server instance.
- Go to the Configuration tab.
- Review the pending changes in the Updated Configuration column.
- If the changes are correct, click Push Configuration.
Rule Metadata
Rule details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:
| Name | Description |
|---|---|
| ID | Universally Unique Identifier of this Rule. |
| Created At | Date and time this Rule was created. |
| Updated At | Date and time this Rule was last updated. |
Deleting a Rule
To delete a Rule, follow these steps:
- From the Sidebar, click Configuration > Rules.
- Click the row of the Rule you want to delete.
- Click Delete.
- You will be asked to confirm the deletion. Click Delete.
USP Manager prevents deletion of a Rule if it is currently referenced by an Inbound Node.
Additionally, if the Rule is used by a USP Server instance, the updated configuration must be manually applied. To apply the changes:
- Navigate to Monitoring > Status.
- Click the Name of the associated USP Server instance.
- Go to the Configuration tab.
- Review the pending changes in the Candidate Configuration - Preview section.
- If the changes are correct, click Push Configuration.
The changes do not take effect on the server until this step is completed.