Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page
Integrating Web Security with Microsoft Products > User identification and authentication with Forefront TMG
User identification and authentication with Forefront TMG
Deployment and Installation Center | Web Security Solutions | Version 7.7.x
 
Applies to:                                         
In this topic                                       
*
Web Filter and Web Security, v7.7.x
*
TMG clients
*
Firewall/Forefront TMG and SecureNAT clients
*
Web Proxy clients
*
Authentication Methods
*
Transparent identification
In order to apply user and group-based policies to Internet requests, Websense Filtering Service must receive information about the user making the request. If no user information is available, Websense software can still apply IP address-based policies, or the Default policy.
To ensure that Filtering Service receives user information, you can:
*
Enable authentication within TMG.
*
Install a Websense transparent identification agent (DC Agent, Logon Agent, eDirectory Agent, or RADIUS Agent).
*
Enable manual authentication within Websense software. Users who cannot be identified by other means are prompted for logon information when they open a browser.
See "Manual Authentication" in the TRITON - Web Security Help for more information.
TMG clients
These TMG clients are supported:
*
Firewall/Forefront TMG (see Firewall/Forefront TMG and SecureNAT clients)
*
SecureNAT (see Firewall/Forefront TMG and SecureNAT clients)
*
Web Proxy (see Web Proxy clients)
The term clients in this environment refers to computers or applications that run on computers and rely on a server to perform some operations.
Each type of client can be configured so that Websense software can obtain user identification and filter Internet requests based on user and group policies.
Firewall/Forefront TMG and SecureNAT clients
Firewall/Forefront TMG and SecureNAT clients cannot identify users transparently without special settings. These clients require a Websense transparent identification agent to authenticate users. To enable user-based filtering policies with these clients, select one of these options:
*
Configure computer browsers to access the Internet through TMG. This configuration allows Firewall/Forefront TMG and SecureNAT clients to also work as Web Proxy clients.
If you choose this option, see Web Proxy clients for more information.
*
If you are using a Windows-based directory service, disable all authentication methods within TMG and use Websense transparent identification. This method allows Websense Filtering Service to obtain user identification from the network's directory services.
See Transparent identification, for more information.
*
Enable Websense software to prompt users for authentication (manual authentication). This method allows Websense software to obtain the user information it needs if neither the TMG nor a Websense transparent identification agent provides the information.
See "Manual Authentication" in the TRITON - Web Security Help for more information.
Web Proxy clients
After the browser is configured to use TMG as a proxy server, Web Proxy clients send Internet requests directly to TMG. You can assign individual user or group policies with one of the following methods.
*
If your network uses only Microsoft Internet Explorer® browsers, version 5.0 or later, you can enable Integrated Windows Authentication within TMG to identify users transparently.
*
If you are using a Windows-based directory service with various browsers, you can identify users transparently by disabling all authentication methods within TMG and implementing Websense transparent identification.
See Transparent identification, for more information.
*
If the network uses a mixture of browsers, you can enable one or more of TMG's authentication methods. Some of these methods may require users to authenticate manually for certain older browsers.
See Authentication Methods, for more information.
*
Enable Websense software to prompt users for authentication (manual authentication). This method allows Websense software to obtain the user information it needs if neither TMG nor a Websense transparent identification agent provides the information.
See "Manual Authentication" in the TRITON - Web Security Help for more information.
Authentication Methods
TMG provides 4 methods of authentication:
*
Basic authentication
*
Digest authentication
*
Integrated Windows authentication (enabled by default)
*
Client Certificate authentication
Microsoft Internet Explorer, version 5.0 and later, supports all of these authentication methods. Other Web browsers may support only Basic authentication.
When no authentication method is enabled in TMG, it does not pass Websense software any information about who is making the Internet request. When this occurs, you can:
*
Filter with computer and network policies.
*
Enable Websense manual authentication to permit user-based filtering.
See "Manual Authentication" in the TRITON - Web Security Help for more information.
*
Enable Websense transparent identification to permit user-based filtering.
See Transparent identification, for more information.
Basic authentication
Basic authentication prompts users to authenticate (log on) each time they open a browser. This authentication allows TMG to obtain user identification, regardless of the browser, and send the information to Websense software, which filters Internet requests based on individual user and group policies.
If Basic authentication is enabled in combination with Integrated Windows authentication:
*
Users with Microsoft Internet Explorer browsers are transparently identified.
*
Users with other browsers are prompted for a user name and password.
Digest authentication
Digest authentication is a secure authentication method used in Windows Server 2003 domains. The features are the same as Basic authentication, but the user name and password are scrambled when they are sent from the browser to TMG. The user can authenticate to TMG without the user name and password being intercepted. User information is sent to Websense software, which then filters Internet requests based on individual user and group policies.
If Digest authentication is enabled in combination with Integrated Windows authentication:
*
Users with Microsoft Internet Explorer browsers are transparently identified.
*
Users with other browsers are prompted for a user name and password.
Integrated Windows authentication
Integrated Windows authentication provides secure authentication. With this authentication enabled, TMG obtains user identification transparently from browsers using Microsoft Internet Explorer 5.0 and later. User information is sent to Websense software, which then filters Internet requests based on individual user and group policies.
If your network has a mixture of Microsoft Internet Explorer browsers and other browsers, you can enable both Basic and Integrated Windows authentication, or Digest and Integrated Windows authentication. In either configuration:
*
Users with Microsoft Internet Explorer browsers are identified transparently.
*
Users with other browsers are prompted for a user name and password.
 
* 
Note 
To transparently identify all users in a mixed browser environment, you can disable Basic or Digest authentication and use Websense transparent identification (see Transparent identification) in conjunction with Integrated Windows authentication.
Client Certificate authentication
Client Certificate authentication identifies users requesting information about a Web site. If Client Certificate is used, TMG requests the certificate and verifies that it belongs to a client that is permitted access, before allowing the Internet request.
 
* 
Note 
To use Websense transparent identification, you must disable Client Certificate authentication.
Before changing authentication methods, consider the impact of the change on other TMG functions.
For more information about TMG authentication and how to configure these authentication methods, see Microsoft's documentation.
Transparent identification
Websense transparent identification agents (DC Agent, Logon Agent, eDirectory Agent, and RADIUS Agent) allow Websense software to apply user and group based policies to Internet requests without prompting users to authenticate in the browser.
*
If TMG is not configured to send user information to Filtering Service, you can use a Websense transparent identification agent to identify HTTP and non-HTTP users.
*
If TMG provides user information for HTTP(S) requests, you can still use a Websense transparent identification requests to obtain user and group information for other protocol requests, managed by Websense Network Agent.
See Installation overview: Web Filter and Web Security for instructions on installing individual Websense components. See User Identification in the TRITON - Web Security Help for information about configuring transparent identification agents.
Websense software also offers secure manual authentication with Secure Sockets Layer (SSL) encryption to protect user names and passwords being transmitted between client computers and Filtering Service. See "Secure Manual Authentication" in the TRITON - Web Security Help for more information and instructions on activating this feature.

Go to the table of contents Go to the previous page Go to the next page
Integrating Web Security with Microsoft Products > User identification and authentication with Forefront TMG
Copyright 2016 Forcepoint LLC. All rights reserved.