I have a simple BM37+NW6SP5 test server for testing rules prior to moving them to production (2x BM38+NW65SP6). Recently we tried to block all access to FTP sites and allow only a select group of users access. The rules on the test proxy looked something like this:

1. Action: Deny / Source: Any / Access: URL / Dest: SurfControl

2. Action: Allow / Source: FTP_User_Group / Access: FTP Proxy / Dest: Any

3. Action: Allow / Source: WWW_User_Group / Access: URL / Dest: Any URL

Default Rule:
4. Action: Deny / Source: Any / Access: Any / Dest: Any

Yet with this setup, anybody in the WWW_User_Group (but not in the FTP_User_Group) was able to access FTP. I temporarily closed the hole by doing this ruleset:

1. Action: Deny / Source: Any / Access: URL / Dest: SurfControl

2. Action: Allow / Source: FTP_User_Group / Access: FTP Proxy / Dest: Any

3. Action: Deny / Source: Any / Access: FTP Proxy / Dest: Any

4. Action: Allow / Source: WWW_User_Group / Access: URL / Dest: Any URL

Default Rule:
5. Action: Deny / Source: Any / Access: Any / Dest: Any

I don't understand why I have to explicitly deny access to FTP Proxy for this to work. I think the rule that grants access to URL for WWW_User_Group is also allowing FTP access. If I turn that rule into a Deny rule in the first ruleset, it deny's all FTP (as well as all HTTP).

Also, we are using SurfControl to block access to certain categories. I read that the URL rule only affects port 80 requests (which would seem weird when its affecting my ftp proxy over port 21 above). How would I go about blocking those same categories over HTTPS?

Finally, does anybody have any general guidelines on how many rules should exist in a typical medium business BM environment (assuming modern hardware)? I'm trying to get the customer to avoid adding so many adhoc rules as the production environment is pretty complex which is why I am testing on a test proxy with few rules to avoid accidental rule overlap. I'm going to have to do an audit of their existing production environment and prefer the KISS principle when it comes to rule definitions.

P.S. Since most sites require both a HTTP and HTTPS rule, almost every desired "rule" in BM needs to be repeated twice to allow (or deny) secure communication as most websites switch to SSL from the launcher (non-ssl) parent page. The rulebase expands quite quickly and gets confusing due to this.