Authentication is the process of identifying an individual within a network who has an account in a directory service. Depending on the authentication method selected, ISA/TMG can obtain user identification and send it to Websense Filtering Service with the Internet request. Filtering Service can filter requests based on policies assigned to directory clients (users, groups, and domains [OUs] defined in a supported directory service).
To filter Internet access for directory clients, Websense software must be able to identify the user making the request. This requires one or more of the following:
See Manual Authentication in the TRITON - Web Security Help for more information.
The term clients in this environment refers to computers or applications that run on computers and rely on a server to perform some operations. In the following diagram of ISA/TMG Firewall architecture, the relationship between ISA/TMG and the Firewall/Forefront TMG, SecureNAT, and Web Proxy clients is shown.
Firewall/Forefront TMG and SecureNAT clients cannot identify users transparently without special settings. These clients require a Websense transparent identification agent to authenticate users. To enable user-based filtering policies with these clients, select one of these options:
See Manual Authentication in the TRITON - Web Security Help for more information.
After the browser is configured to use ISA/TMG as a proxy server, Web Proxy clients send Internet requests directly to ISA/TMG. You can assign individual user or group policies with one of the following methods.
See Manual Authentication in the TRITON - Web Security Help for more information.
Microsoft Internet Explorer, version 5.0 and later, supports all of these authentication methods. Other Web browsers may support only the Basic authentication method. By default, ISA/TMG has Integrated Windows authentication enabled.
You can configure both incoming and outgoing request properties within ISA/TMG. Client Web browsers must be able to use at least one of the authentication methods that you specify in an array's incoming and outgoing Web request dialog boxes. Without this authentication, the client cannot access the requested Internet site.
When no authentication method is enabled in ISA/TMG, it cannot receive any information about who is making the Internet request. As a result, Websense software does not receive user information from ISA/TMG. When this problem occurs, you can:
See Manual Authentication in the TRITON - Web Security Help for more information.
Basic authentication prompts users to authenticate (log on) each time they open a browser. This authentication allows ISA/TMG to obtain user identification, regardless of the browser, and send the information to Websense software, which filters Internet requests based on individual user and group policies.
Digest authentication is a secure authentication method used in Windows Server 2003 domains. The features are the same as Basic authentication, but the user name and password are scrambled when they are sent from the browser to ISA/TMG. The user can authenticate to ISA/TMG without the user name and password being intercepted. User information is sent to Websense software, which then filters Internet requests based on individual user and group policies.
Integrated Windows authentication provides secure authentication. With this authentication enabled, ISA/TMG obtains user identification transparently from browsers using Microsoft Internet Explorer 5.0 and later. User information is sent to Websense software, which then filters Internet requests based on individual user and group policies.
If your network has a mixture of Microsoft Internet Explorer browsers and other browsers, you can enable both Basic and Integrated Windows authentication, or Digest and Integrated Windows authentication. In either configuration:
Client Certificate authentication identifies users requesting information about a Web site. If Client Certificate is used, ISA/TMG requests the certificate and verifies that it belongs to a client that is permitted access, before allowing the Internet request.
Websense transparent identification allows Websense software to filter Internet requests from users identified in a directory service, without prompting them to authenticate manually. If the authentication method enabled within ISA/TMG does not send user information to Filtering Service, you can use a Websense transparent identification agent to identify users.
For example, if ISA/TMG is configured to obtain user identification from the browser, and you want to use Network Agent to filter protocols by user or group name, use a Websense transparent identification agent to identify users for protocol traffic.
Install and configure Websense transparent identification agents to transparently identify users from a directory service. DC Agent, Logon Agent, eDirectory Agent, or RADIUS Agent can be installed on the same machine as Filtering Service, or on a different machine.
Websense also offers secure manual authentication with Secure Sockets Layer (SSL) encryption to protect user names and passwords being transmitted between client computers and Filtering Service. By default, secure manual authentication is disabled. See
Secure Manual Authentication in the TRITON - Web Security Help for more information and instructions on activating this feature.
After Filtering Service is configured to communicate with a transparent identification agent, user information is obtained from a supported directory service and sent to Filtering Service. When Filtering Service receives the IP address of a computer making an Internet request, the address is matched with the corresponding user name provided by the transparent identification agent.
See Web Filter or Web Security (software-based) for instructions on installing individual Websense components. See
User Identification in the TRITON - Web Security Help for information about configuring transparent identification agents.
Deployment and Installation Center
