Content Gateway Help
Websense Content Gateway v7.6

Library Search:


Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Security > Proxy user authentication

Proxy user authentication
 
Related topics:
Browser limitations
Transparent proxy authentication settings
Integrated Windows Authentication
Legacy NTLM authentication
LDAP authentication
RADIUS authentication
Multiple realm authentication
Content Gateway supports several methods of authenticating users before they are allowed access to content. These methods can be used together with Websense Web Security user identification agents to provide failover should proxy user authentication become unavailable. For an overview of user authentication options and best practices, go to the Websense Technical Library and search for Web Security Gateway authentication and identification.
In both explicit and transparent proxy modes, Content Gateway supports user authentication with:
*
Integrated Windows Authentication (with Kerberos)
*
Legacy NTLM authentication (NTLMSSP)
*
LDAP authentication
*
RADIUS authentication
In addition, Content Gateway supports Multiple realm authentication, to authenticate:
*
Distinct sets of IP addresses against specific domains
*
Traffic on specific ports against specific domains (explicit proxy only)
*
Combinations of the above (explicit proxy only)
For each realm (definition below), an authentication method (Integrated Windows Authentication, NTLM, or LDAP) is specified. Using this feature, multiple methods can be used to authenticate users in multiple realms.
Terms in the context of multiple realm authentication
*
A domain is a Windows Active Directory domain.
*
A realm is a Windows Active Directory domain that does not have an outbound trust relationship with other domains. It therefore requires that its members be authenticated by a domain controller within the domain.
Selecting the authentication mode
The authentication mode is selected in Content Gateway Manager in the Authentication section of the Configure > My Proxy > Basic page. Configuring authentication for multiple realm environments begins with selecting the Multiple Realm Authentication option.
Supported domain controllers and directories
*
Windows NT domain controllers
*
Windows 2003 and 2008 Active Directory
*
Novell eDirectory 8.7 and 8.8 (LDAP only)
*
Oracle DSEE 11g, Sun Java 7 and 6.2 (LDAP only)
Best practices when using Windows Active Directory
If you have one Active Directory domain, or if all of your Active Directory domains share inbound and outbound trust relationships, the best option is to use Integrated Windows Authentication.
If you have multiple realms and authentication is a requirement, you must use the multiple realm option. For details, including a discussion of policy application limits, see Multiple realm authentication.
If user identification is sufficient, you can use one of the Web Security user identification options. See the section titled User Identification in TRITON -- Web Security Help.
Transparent user authentication
Content Gateway supports both transparent (Single Sign-On) and interactive (prompted) authentication. Transparent authentication is supported with Integrated Windows Authentication and Legacy NTLM. Some browsers provide only limited support. See Browser limitations.
On Windows networks, Single Sign-On allows users to sign on only once so that they can transparently access all authorized network resources. Therefore, if a user has already logged on to the Windows network successfully, the credentials specified during Windows logon are used for proxy authentication and the user is not prompted again for a username and password.
Interactive authentication is supported in networks that are not configured for Single Sign-On and for use with browsers that don't support Single Sign-On. With interactive authentication, users are prompted for credentials before they can access content through Content Gateway.
Backup domain controllers
For Integrated Windows Authentication and Legacy NTLM, Content Gateway supports the specification of backup domain controllers for failover. If the primary domain controller does not respond to proxy requests, Content Gateway contacts the next domain controller in the list (the backup domain controller). For the next request, the proxy tries to contact the primary domain controller again and then contacts the backup domain controller if the connection fails.

Quick Links



Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Security > Proxy user authentication
(c) 2011 Websense, Inc. All Rights Reserved.