The Edge SWG must control remote access methods.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279203	SRG-NET-000313-ALG-000010	SYME-00-007500	SV-279203r1170670_rule	2025-12-16	1

Description
Remote access devices, such as those providing remote access to network devices and information systems, lack automated control capabilities, increase risk and make remote user access management difficult. Remote access is access to DOD-nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include broadband and wireless connections, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). ALGs that proxy remote access must be capable of taking enforcement action (i.e., blocking, restricting, or forwarding to an enforcement mechanism) if traffic monitoring reveals unauthorized activity. Satisfies: SRG-NET-000313-ALG-000010, SRG-NET-000319-ALG-000153, SRG-NET-000364-ALG-000122, SRG-NET-000383-ALG-000135, SRG-NET-000385-ALG-000137, SRG-NET-000385-ALG-000138, SRG-NET-000390-ALG-000139, SRG-NET-000391-ALG-000140, SRG-NET-000392-ALG-000141, SRG-NET-000392-ALG-000142, SRG-NET-000392-ALG-000143, SRG-NET-000392-ALG-000147, SRG-NET-000392-ALG-000148

Description

Remote access devices, such as those providing remote access to network devices and information systems, lack automated control capabilities, increase risk and make remote user access management difficult. Remote access is access to DOD-nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include broadband and wireless connections, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). ALGs that proxy remote access must be capable of taking enforcement action (i.e., blocking, restricting, or forwarding to an enforcement mechanism) if traffic monitoring reveals unauthorized activity. Satisfies: SRG-NET-000313-ALG-000010, SRG-NET-000319-ALG-000153, SRG-NET-000364-ALG-000122, SRG-NET-000383-ALG-000135, SRG-NET-000385-ALG-000137, SRG-NET-000385-ALG-000138, SRG-NET-000390-ALG-000139, SRG-NET-000391-ALG-000140, SRG-NET-000392-ALG-000141, SRG-NET-000392-ALG-000142, SRG-NET-000392-ALG-000143, SRG-NET-000392-ALG-000147, SRG-NET-000392-ALG-000148

ℹ️ Check
1. In the Edge SWG Web UI, navigate to the Administration tab. 2. Click "Data and Cloud Services", then "Content Filtering". 3. If BlueCoat Content Filtering is disabled, this is a finding. 4. Click "BlueCoat". If the Lookup Mode is not set to "Always", this is a finding. 1. In the Edge SWG Web UI, navigate to the VPM. 2. Go to the Web Access Layer. If there are no URL filtering rules created, this is a finding. If there is a URL filtering list and no categories are selected, this is a finding.

ℹ️ Check

1. In the Edge SWG Web UI, navigate to the Administration tab. 2. Click "Data and Cloud Services", then "Content Filtering". 3. If BlueCoat Content Filtering is disabled, this is a finding. 4. Click "BlueCoat". If the Lookup Mode is not set to "Always", this is a finding. 1. In the Edge SWG Web UI, navigate to the VPM. 2. Go to the Web Access Layer. If there are no URL filtering rules created, this is a finding. If there is a URL filtering list and no categories are selected, this is a finding.

✔️ Fix
1. In the Edge SWG Web UI, navigate to the Administration tab. 2. Click "Data and Cloud Services", then "Content Filtering". 3. Enable BlueCoat Content Filtering. 4. Click "BlueCoat" and check the box for "Always" under "Lookup Mode". 5. Test the download. If the URL cannot be reached, troubleshoot before proceeding to determine if there are networking, reachability, or routing issues. 1. In the Edge SWG Web UI, navigate to the VPM. 2. Go to the Web Access Layer. 3. Create a URL filter list rule if one has not been created, click "Add Rule". 4. For source use "Any". 5. Under "Destination", left-click and then click "Set". 6. Click "Add new Object and Request URL Category". 7. Enter a name and click the "BlueCoat" area. 8. Click each category that users will be blocked from accessing, then click "Apply and Set". 9. Under Service, click the "All HTTP" client protocol. 10. Click "Set". 11. Under "Action", click the "DOD-BLOCK" exception page previously created. 12. Under "Track", click the EventLog tracking previously created. 13. Repeat these steps for all other client protocol services for which forward proxying for users will be completed. 14. Click "Apply Policy".

✔️ Fix

1. In the Edge SWG Web UI, navigate to the Administration tab. 2. Click "Data and Cloud Services", then "Content Filtering". 3. Enable BlueCoat Content Filtering. 4. Click "BlueCoat" and check the box for "Always" under "Lookup Mode". 5. Test the download. If the URL cannot be reached, troubleshoot before proceeding to determine if there are networking, reachability, or routing issues. 1. In the Edge SWG Web UI, navigate to the VPM. 2. Go to the Web Access Layer. 3. Create a URL filter list rule if one has not been created, click "Add Rule". 4. For source use "Any". 5. Under "Destination", left-click and then click "Set". 6. Click "Add new Object and Request URL Category". 7. Enter a name and click the "BlueCoat" area. 8. Click each category that users will be blocked from accessing, then click "Apply and Set". 9. Under Service, click the "All HTTP" client protocol. 10. Click "Set". 11. Under "Action", click the "DOD-BLOCK" exception page previously created. 12. Under "Track", click the EventLog tracking previously created. 13. Repeat these steps for all other client protocol services for which forward proxying for users will be completed. 14. Click "Apply Policy".