Deployment and Installation Center
Websense TRITON Enterprise v7.6.x

Library Search:


Go to the table of contents Go to the previous page Go to the next page Go to the index
Squid Web Proxy Cache Integration > Authentication when integrated with Squid Web Proxy Cache

Authentication when integrated with Squid Web Proxy Cache
Applies to
*
Web Filter v7.6
*
Web Security v7.6
In this topic
*
Overview
*
Client types
*
Authentication methods
*
Transparent identification
Overview
Authentication is the process of identifying a user within a network based on an account in a directory service. Depending on the authentication method selected, Squid Web Proxy Cache can obtain user identification and send it to Websense Filtering Service along with an Internet request. Filtering Service can filter requests based on policies assigned to individual directory objects, defined as either a user or group of users.
 
* 
Note 
In any environment, Websense software can filter based on computer or network policies. Workstations are identified in Websense software by their IP addresses, and networks are identified as IP address ranges
To filter Internet access for individual directory objects, Websense software can identify the user making the request, imploying the following methods:
*
Enable an authentication method within Squid Web Proxy Cache so that it sends user information to Websense software.
*
Enable Websense software to identify users transparently, if it does not receive user information from Squid Web Proxy Cache. You can install one of the Websense transparent identification components: DC Agent, Logon Agent, eDirectory Agent, or RADIUS Agent.
See the Transparent Identification of Users technical paper and the User Identification topic in the TRITON - Web Security Help for more information.
*
Enable manual authentication within Websense software. If users cannot be identified transparently, they are prompted for authentication when they open a browser.
See the Manual Authentication topic in the TRITON - Web Security Help for more information.
Client types
In this context, the term clients refers to computers or applications that run on computers and rely on a server to perform some operations. Each type of client can be configured so that Filtering Service is able to obtain user identification and filter Internet requests based on user and group policies.
Squid works with two types of clients:
*
Firewall
*
Web Proxy
Firewall clients
If a client is located behind a firewall, that client cannot make direct connections to the outside world without the use of a parent cache. Squid Web Proxy Cache does not use ICP queries for a request if it is behind a firewall or if there is only one parent.
Use the following lists in the squid.conf file to handle Internet requests.
*
never_direct: Specifies which requests must be forwarded to the parent cache outside the firewall.
*
always_direct: Specifies which requests must not be forwarded.
See Squid documentation and support resources for more information.
Web Proxy clients
Web Proxy clients send Internet requests directly to Squid Web Proxy Cache after the browser is configured to use Squid as the proxy server.
You can assign individual user or group policies:
*
Enable one or more of the Squid authentication methods, discussed in Authentication methods if the network uses multiple types of browsers. Some of these methods may require users to authenticate manually.
*
Enable Websense software to prompt users for authentication. This allows Websense software to obtain the user information it needs if it does not receive that information from Squid Web Proxy Cache. See the Manual Authentication section of the User Identification topic in the TRITON - Web Security Help.
Authentication methods
Squid Web Proxy Cache v2.5 and 2.6 offer the following authentication methods:
*
Anonymous authentication
*
Basic authentication
*
Digest authentication
*
Integrated Windows authentication
See Squid documentation for information about enabling authentication within Squid Web Proxy Cache.
 
* 
Important 
Before changing authentication methods, consider the impact the change would have on other proxy server functions.
Anonymous authentication
When anonymous authentication is enabled within Squid Web Proxy Cache, user identification is not received from the browser that requests a site.
Users cannot be filtered based on individual user or group policies unless anonymous authentication is disabled and another method of authentication is enabled, or you configure Websense software to identify users.
Anonymous authentication allows Internet filtering based on computer or network policies, if applicable, or by the Default policy.
Basic authentication
When basic authentication is enabled within Squid, users are prompted to authenticate (log on) each time they open a browser. This allows Squid to obtain user identification, regardless of the browser, and send it to Websense Filtering Service, which then filters Internet requests based on individual user and group policies. Basic authentication can be enabled in combination with Integrated Windows authentication, discussed later in this section.
Digest authentication
Digest authentication is a secure authentication method used only in Windows 2000 and Windows Server 2003 domains. The features are the same as Basic authentication, but the user name and password are scrambled when they are sent from the browser to Squid Web Proxy Cache. The user can authenticate to Squid Web Proxy Cache without the user name and password being intercepted. Digest authentication can be enabled in combination with Integrated Windows authentication, discussed later in this section.
Integrated Windows authentication
Integrated Windows authentication provides secure authentication. With this authentication enabled, Squid Web Proxy Cache obtains user identification transparently from Microsoft Internet Explorer 5.0 and later. User information is sent to Websense software, which then filters Internet requests based on individual user and group policies.
 
* 
Note 
Squid Integrated Windows Authentication cannot obtain user identification information transparently from browsers other than Microsoft Internet Explorer.
If your network has a mixture of Microsoft Internet Explorer browsers and other browsers, you can enable both Basic and Integrated Windows authentication, or Digest and Integrated Windows authentication. In either configuration:
*
Users with Microsoft Internet Explorer browsers are identified transparently.
*
Users with other browsers are prompted to authenticate.
 
* 
Note 
To transparently identify all users in a mixed-browser environment, you can enable Anonymous authentication within Squid Web Proxy Cache and use Websense transparent identification. See Transparent identification.
Transparent identification
If Squid Web Proxy Cache is not configured to send user information to Websense software, you can install a Websense transparent identification agent to identify users without prompting them to log on when they open a browser. There are 4 transparent identification agents: DC Agent, Logon Agent, eDirectory Agent, and RADIUS Agent. They communicate with domain controllers or directory services to match users names with IP addresses for use in applying user- and group-based policies.
The transparent identification agents can be installed individually or in specific combinations, and can reside on the Filtering Service machine, or on a different machine. See the Transparent Identification of Users technical paper and TRITON - Web Security Help for more information about deploying and configuring Websense transparent identification agents.

Quick Links



Go to the table of contents Go to the previous page Go to the next page Go to the index
Squid Web Proxy Cache Integration > Authentication when integrated with Squid Web Proxy Cache
(c) 2011 Websense, Inc. All Rights Reserved.