Deployment and Installation Center
Websense TRITON Enterprise v7.6.x

Go to the table of contents Go to the previous page Go to the next page Go to the index
Microsoft ISA Server or Forefront TMG Integration > Authentication when integrated with ISA Server or Forefront TMG

Authentication is the process of identifying an individual within a network who has an account in a directory service. Depending on the authentication method selected, ISA/TMG can obtain user identification and send it to Websense Filtering Service with the Internet request. Filtering Service can filter requests based on policies assigned to directory clients (users, groups, and domains [OUs] defined in a supported directory service).
Note 
In any environment, Websense software can filter based on computer (individual IP address) or network (IP address range) policies.
To filter Internet access for directory clients, Websense software must be able to identify the user making the request. This requires one or more of the following:
*
Install a Websense transparent identification agent (DC Agent, Logon Agent, eDirectory Agent, or RADIUS Agent) to identify users, if user information is not supplied by ISA/TMG.
See the Transparent Identification of Users technical paper for more information.
*
Enable manual authentication within Websense software. Users who cannot be identified by other means are prompted for logon information when they open a browser.
See Manual Authentication in the TRITON - Web Security Help for more information.
The term clients in this environment refers to computers or applications that run on computers and rely on a server to perform some operations. In the following diagram of ISA/TMG Firewall architecture, the relationship between ISA/TMG and the Firewall/Forefront TMG, SecureNAT, and Web Proxy clients is shown.
Each type of client can be configured so that Websense software can obtain user identification and filter Internet requests based on user and group policies.
Firewall/Forefront TMG and SecureNAT clients cannot identify users transparently without special settings. These clients require a Websense transparent identification agent to authenticate users. To enable user-based filtering policies with these clients, select one of these options:
*
Configure computer browsers to access the Internet through ISA/TMG. This configuration allows Firewall/Forefront TMG and SecureNAT clients to also work as Web Proxy clients.
*
If you are using a Windows-based directory service, disable all authentication methods within ISA/TMG and use Websense transparent identification. This method allows Websense Filtering Service to obtain user identification from the network's domain controllers or directory services.
See Transparent identification, for more information.
*
Enable Websense software to prompt users for authentication (manual authentication). This method allows Websense software to obtain the user information it needs if neither the ISA/TMG nor a Websense transparent identification agent provides the information.
See Manual Authentication in the TRITON - Web Security Help for more information.
After the browser is configured to use ISA/TMG as a proxy server, Web Proxy clients send Internet requests directly to ISA/TMG. You can assign individual user or group policies with one of the following methods.
*
If your network uses only Microsoft Internet Explorer® browsers, version 5.0 or later, you can enable Integrated Windows Authentication within ISA/TMG to identify users transparently.
*
If you are using a Windows-based directory service with various browsers, you can identify users transparently by disabling all authentication methods within ISA/TMG and implementing Websense transparent identification.
See Transparent identification, for more information.
*
If the network uses a mixture of browsers, you can enable one or more of ISA/TMG's authentication methods. Some of these methods may require users to authenticate manually for certain older browsers.
See Authentication Methods, for more information.
*
Enable Websense software to prompt users for authentication (manual authentication). This method allows Websense software to obtain the user information it needs if neither ISA/TMG nor a Websense transparent identification agent provides the information.
See Manual Authentication in the TRITON - Web Security Help for more information.
Microsoft Internet Explorer, version 5.0 and later, supports all of these authentication methods. Other Web browsers may support only the Basic authentication method. By default, ISA/TMG has Integrated Windows authentication enabled.
You can configure both incoming and outgoing request properties within ISA/TMG. Client Web browsers must be able to use at least one of the authentication methods that you specify in an array's incoming and outgoing Web request dialog boxes. Without this authentication, the client cannot access the requested Internet site.
When no authentication method is enabled in ISA/TMG, it cannot receive any information about who is making the Internet request. As a result, Websense software does not receive user information from ISA/TMG. When this problem occurs, you can:
See Manual Authentication in the TRITON - Web Security Help for more information.
See Transparent identification, for more information.
Basic authentication prompts users to authenticate (log on) each time they open a browser. This authentication allows ISA/TMG to obtain user identification, regardless of the browser, and send the information to Websense software, which filters Internet requests based on individual user and group policies.
Digest authentication is a secure authentication method used in Windows Server 2003 domains. The features are the same as Basic authentication, but the user name and password are scrambled when they are sent from the browser to ISA/TMG. The user can authenticate to ISA/TMG without the user name and password being intercepted. User information is sent to Websense software, which then filters Internet requests based on individual user and group policies.
Integrated Windows authentication provides secure authentication. With this authentication enabled, ISA/TMG obtains user identification transparently from browsers using Microsoft Internet Explorer 5.0 and later. User information is sent to Websense software, which then filters Internet requests based on individual user and group policies.
If your network has a mixture of Microsoft Internet Explorer browsers and other browsers, you can enable both Basic and Integrated Windows authentication, or Digest and Integrated Windows authentication. In either configuration:
Note 
To transparently identify all users in a mixed browser environment, you can disable Basic or Digest authentication and use Websense transparent identification (see Transparent identification) in conjunction with Integrated Windows authentication.
Client Certificate authentication identifies users requesting information about a Web site. If Client Certificate is used, ISA/TMG requests the certificate and verifies that it belongs to a client that is permitted access, before allowing the Internet request.
Note 
To use Websense transparent identification, you must disable Client Certificate authentication.
Before changing authentication methods, consider the impact of the change on other ISA/TMG functions.
For more information about ISA/TMG authentication and how to configure these authentication methods, see Microsoft's documentation.
Websense transparent identification allows Websense software to filter Internet requests from users identified in a directory service, without prompting them to authenticate manually. If the authentication method enabled within ISA/TMG does not send user information to Filtering Service, you can use a Websense transparent identification agent to identify users.
For example, if ISA/TMG is configured to obtain user identification from the browser, and you want to use Network Agent to filter protocols by user or group name, use a Websense transparent identification agent to identify users for protocol traffic.
Install and configure Websense transparent identification agents to transparently identify users from a directory service. DC Agent, Logon Agent, eDirectory Agent, or RADIUS Agent can be installed on the same machine as Filtering Service, or on a different machine.
Websense also offers secure manual authentication with Secure Sockets Layer (SSL) encryption to protect user names and passwords being transmitted between client computers and Filtering Service. By default, secure manual authentication is disabled. See Secure Manual Authentication in the TRITON - Web Security Help for more information and instructions on activating this feature.
After Filtering Service is configured to communicate with a transparent identification agent, user information is obtained from a supported directory service and sent to Filtering Service. When Filtering Service receives the IP address of a computer making an Internet request, the address is matched with the corresponding user name provided by the transparent identification agent.
See Web Filter or Web Security (software-based) for instructions on installing individual Websense components. See User Identification in the TRITON - Web Security Help for information about configuring transparent identification agents.


Go to the table of contents Go to the previous page Go to the next page Go to the index
Microsoft ISA Server or Forefront TMG Integration > Authentication when integrated with ISA Server or Forefront TMG