Rules
A Rule defines how a USP Server instance authenticates external incoming connections, manages credentials during the proxying process, and optionally applies in-line content scanning using an ICAP server. More specifically, a Rule defines:
- The authentication method required for external incoming connections (e.g., password or public key).
- The authentication source used to verify the credentials provided by the external user (e.g., LDAP or Account Repository).
- The credential source used to authenticate outbound connections to internal targets.
- An optional ICAP server used to inspect file content before it is forwarded.
Rules are a prerequisite for setting up Inbound Nodes, as they define the policies that nodes enforce for authentication and credential handling.
Before You Begin
For a complete list of configuration scenarios, refer to Rules Possible Configuration Scenarios.
Inbound Authentication Methods
The Inbound Authentication Method specifies how the USP Server authenticates external incoming connections. The available options are:
- Password: Only password-based authentication is accepted.
- Public Key: Only SSH key-based authentication is accepted.
- Password or Public Key: Either password-based or SSH key-based authentication is accepted.
- Password and Public Key: Both password-based and SSH key-based authentication are required.
- If the Inbound Authentication Method is Password or Password and Public Key, you may set the Outbound Authentication Source to Passthrough Credentials. In these cases, only the username and password are forwarded to the outbound connection.
- For all other Inbound Authentication Methods (Public Key and Password or Public Key), the Outbound Authentication Source must be Dedicated Credentials, as these methods do not—or may not—include a password to forward.
For the Inbound Authentication Method, choose Password for simplicity, Public Key for enhanced security, Password or Public Key for flexibility, or Password and Public Key for maximum protection through multi-factor authentication. Your specific environment's security requirements and risk profile should guide your authentication method selection.
Inbound Authentication Source
This option defines how the USP Server handles external incoming connections authentication, including the option to disable inbound validation entirely.
Use the Authentication at the Proxy toggle to enable or disable inbound authentication:
- Disabled: No validation is performed (equivalent to
None). - Enabled: Inbound connections are authenticated in the proxy before using Passthrough Credentials or Dedicated Credentials authentication on the target Outbound Node (this is a "double-authentication" scenario). If enabled, you must specify an authentication source, either:
- Account Repository: Validates credentials against a local repository.
- LDAP: Validates credentials via an LDAP server (only supports password authentication).
- To use Account Repository authentication, you must first create an Account Repository so it can be selected from the Account Repository dropdown.
- To use LDAP authentication, you must first create an LDAP Query and an LDAP Connection. Also, Inbound Authentication Method must be Password.
Outbound Authentication Source
This option defines how the USP Server obtains credentials for outbound connections to internal targets. While it supports reusing inbound credentials, it also allows the configuration of dedicated outbound credentials. Dedicated outbound credentials allow you to separate how clients authenticate to USP (inbound) from how USP authenticates to internal targets (outbound).
The available options are:
- Passthrough Credentials: Uses the same username and password supplied by the client during inbound authentication for the outbound connection to the internal target.
- Dedicated Credentials: Uses a predefined username and password specified in the Rule configuration. This method is typically used when the USP Server authenticates to internal systems using a shared or service-specific account.
- Dedicated Credentials is only supported when Authentication at the Proxy toggle is enabled.
- Passthrough Credentials is only supported when Inbound Authentication Method is set to Password or Password and Public Key. In both cases, only the username and password are forwarded.
- If Outbound Authentication Source is Dedicated Credentials, a non-empty Outbound Username is required. Additionally, at least one of the following must be provided: Outbound Password or Private Key for Outbound Connection.
If you plan to use a Private Key, ensure it is created beforehand and available for selection. If both a password and a private key are provided, both are used during authentication. All credentials configured in this section are applied when the USP Server authenticates to the Outbound Node.
ICAP Scanning
To enable in-line file inspection, a Rule can be configured to use an ICAP Scanner. When associated with a Rule, the ICAP Scanner is applied to all file transfers matched by that Rule, allowing content to be scanned before it reaches the USP Server instance.
An ICAP Scanner must be associated with a Rule for ICAP scanning to be operational. The same ICAP Scanner can be reused across multiple Rules to enforce consistent scanning policies throughout your deployment.
Rule Administration via USP Admin UI
Adding a Rule
To add a Rule, follow these steps:
- From the Sidebar, click Configuration > Rules.
- Click Add Rule.
- Complete the details for the new Rule, using the Field Descriptions table as a guide.
- Click Save.
Field Descriptions
The fields and options dynamically appear or hide based on your selections in related fields.
| Name | Description | Specifications | Required |
|---|---|---|---|
| Name | The name of the Rule. | Must be unique. | Yes |
| Description | The description of the Rule. | No | |
| Inbound Authentication Methods | The authentication method that the Inbound Node uses. Options:
| Yes | |
| Authentication at the Proxy | Enables or disables inbound authentication. | Yes | |
| Inbound Authentication Source | The source from which inbound credentials are validated. Options:
| Yes, if Authentication at the Proxy is enabled. | |
| Account Repository | The account collection to use for inbound credentials authentication. | Must reference an already-created Account Repository. | Yes, if Inbound Authentication Source is Account Repository. |
| LDAP Query | The LDAP Query used for inbound credentials authentication. | Must reference an already-created LDAP Query. | Yes, if Inbound Authentication Source is LDAP. |
| LDAP Connection | The LDAP Connection used for inbound credentials authentication. | Must reference an already-created LDAP Connection. | Yes, if Inbound Authentication Source is LDAP. |
| Outbound Authentication Source | The source of credentials for outbound connections to internal targets. Options:
| Yes | |
| Outbound Username | Username for the internal target. | Yes, if Outbound Authentication Source is Dedicated Credentials. | |
| Outbound Password | Password for the internal target. | Yes, if Outbound Authentication Source is Dedicated Credentials, at least one of the following must be provided: Outbound Password or Private Key for Outbound Connection. | |
| Private Key for Outbound Connection | The Private Key used to authenticate with the internal target. | Must reference an already-created Private Key. | Yes, if Outbound Authentication Source is Dedicated Credentials, at least one of the following must be provided: Outbound Password or Private Key for Outbound Connection. |
| ICAP Scanner | The ICAP Scanner used to inspect file content during in-line transfers. | Must reference an already-created ICAP Scanner. | No |
Editing a Rule
To edit a Rule, follow these steps:
- From the Sidebar, click Configuration > Rules.
- Click the Name of the Rule you want to edit.
- Click the Edit button above the Rule details.
- Edit the details of the Rule, using the Field Descriptions table above as a guide.
- Click Save.
If you modify a Rule that is currently in use by a USP Server instance, the changes will not take effect until you manually apply the updated configuration by pushing it to the server. To apply the changes:
- Navigate to Monitoring > Status.
- Click the Name of the associated USP Server instance.
- Go to the Configuration tab.
- Review the pending changes in the Updated Configuration column.
- If the changes are correct, click Push Configuration.
Rule details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:
Rule Metadata
| Name | Description |
|---|---|
| ID | Universally Unique Identifier of this Rule. |
| Created At | Date and time this Rule was created. |
| Updated At | Date and time this Rule was last updated. |
Deleting a Rule
To delete a Rule, follow these steps:
- From the Sidebar, click Configuration > Rules.
- Click the Name of the Rule you want to delete.
- Click the Delete button above the Rule details.
- You will be asked to confirm the deletion. Click Delete.
USP Manager prevents deletion of a Rule if it is currently referenced by an Inbound Node.
Additionally, if the Rule is used by a USP Server instance, the updated configuration must be manually applied. To apply the changes:
- Navigate to Monitoring > Status.
- Click the Name of the associated USP Server instance.
- Go to the Configuration tab.
- Review the pending changes in the Candidate Configuration - Preview section.
- If the changes are correct, click Push Configuration.
The changes do not take effect on the server until this step is completed.