Option	Description
	Filtering
Filtering	Displays a table listing the rules in the filter.config. Rules are applied based on first match in a top-down traversal of the list. If no rule matches, the request is allowed to proceed. For a detailed discussion of the purpose of filtering rules, see Filtering Rules. Note: After adding, deleting, or modifying a rule, restart Content Gateway. Note: NTLM and LDAP authentication rules are defined on the Authentication Realms tab and stored in the auth.config file (see its entry later in this table).
Refresh	Updates the table to display the most up-to-date rules in the filter.config file.
Edit File	Opens the configuration file editor for the filter.config file.
	filter.config Configuration File Editor
rule display box	Lists the rules currently stored in filter.config. Select a rule to edit it. The buttons on the left of the box allow you to delete or move the selected rule up or down in the list.
Add	Adds a new rule to the rule display box at the top of the configuration file editor page. Click Add after selecting or entering values for the rule.
Set	Updates the rule display box at the top of the configuration file editor page.
Rule Type	Specifies the rule type: Select allow to allow particular URL requests to bypass authentication; the proxy caches and serves the requested content. Select deny to deny requests for objects from specific destinations. When a request is denied, the client receives an access denied message. Select keep_hdr to specify which client request header information you want to keep. Select strip_hdr to specify which client request header information you want to strip. Select add_hdr to cause a custom header to be added to the request. This rule type requires that values be defined for Custom Header and Header Value. Add custom headers to satisfy a specific requirement of a destination domain. See Filtering Rules. Note: The radius rule type is not supported.
Primary Destination Type	Lists the primary destination types: dest_domain is a requested domain name. dest_host is a requested hostname. dest_ip is a requested IP address. url_regex is a regular expression to be found in a URL.
Primary Destination Value	Specifies the value of the primary destination type. For example, if the primary destination type is dest_ip, the value for this field might be 123.456.78.9.
Additional Specifiers: Header Type	Specifies the client request header information that you want to keep or strip. This option applies to only keep_hdr or strip_hdr rule types.
Additional Specifiers: Realm (optional)	Not supported.
Additional Specifiers: Proxy Port (optional)	Specifies the proxy port to match for this rule.
Additional Specifiers: Custom Header (optional)	For use when the rule type is add_hdr. Specifies the custom header name that the destination domain expects to find in the request.
Additional Specifiers: Header Value (optional)	For use when the rule type is add_hdr. Specifies the custom header value that the destination domain expects to be paired with the custom header.
Secondary Specifiers: Time	Specifies a time range, such as 08:00-14:00.
Secondary Specifiers: Prefix	Specifies a prefix in the path part of a URL.
Secondary Specifiers: Suffix	Specifies a file suffix in the URL.
Secondary Specifiers: Source IP	Specifies the IP address of the client.
Secondary Specifiers: Port	Specifies the port in a requested URL.
Secondary Specifiers: Method	Specifies a request URL method: get post put trace
Secondary Specifiers: Scheme	Specifies the protocol of a requested URL. Options are: HTTP HTTPS FTP (for FTP over HTTP only) Note: rtsp and mms are not supported.
Secondary Specifiers: User-Agent	Specifies the Request header User-Agent value. Use this field to create application filtering rules that: Allow applications that don't properly handle authentication challenges to bypass authentication Block specified client-based applications from accessing the Internet
Apply	Applies the configuration changes.
Close	Exits the configuration file editor. Click Apply before you click Close; otherwise, all configuration changes will be lost.
	Integrated Windows Authentication
The Integrated Windows Authentication page appears only if you have enabled IWA in the Features table on the Configure > My Proxy > Basic > General tab. Use this page to join or unjoin the Windows domain. When a domain has been joined, the page provides a summary of the domain attributes and an Unjoin button. See Integrated Windows Authentication.
Domain Name	Specifies the fully qualified Windows domain name.
Administrator Name	Specifies the Windows Administrator user name.
Administrator Password	Specifies the Windows Administrator password. Note: The name and password are used only during the join and are not stored.
Domain Controller	Specifies how to locate the domain controller: Auto-detect using DNS DC name or IP address If the domain controller is specified by name or IP address, you can also specify backup domain controllers in a comma separated list.
Content Gateway Hostname	Specifies the Content Gateway hostname. Because IWA uses the hostname as a NetBIOS name when registering with Kerberos, the hostname cannot exceed 15 characters in length (a NetBIOS restriction), or 11 characters on V-Series appliances (V-Series adds 4 characters to the hostname to ensure that the hostname is unique across modules (Doms). IMPORTANT: Once the domain is joined the hostname cannot be changed. If it is, IWA will immediately stop working until the domain is unjoined and then rejoined with the new hostname.
Join Domain	Click Join Domain to join the domain.
	Global Authentication Options Use this page to set options that are applied when Integrated Windows Authentication performs NTLM authentication.
Fail Open	Disabled –Prevents requests from proceeding to the Internet when an authentication failure occurs. Enabled only for critical service failures (default) – Allows requests to proceed if authentication fails because there is no response from the domain controller or because the client is sending badly formatted messages. Enabled for all authentication failures, including incorrect password – Allows requests to proceed for all authentication failures, including password failures. When a fail open setting is enabled, if a Web Security XID agent is configured an attempt is made to identify the requestor and apply user-based policy. Otherwise, if a policy has been assigned to the client's IP address, that policy is applied. Otherwise, the Default policy is applied.
NTLM Credential Caching	Enables/disables caching of user credentials after they have been authenticated by NTLM. Applies only when Content Gateway is an explicit proxy.
Caching TTL	Specifies the time-to-live (TTL) of entries in the cache. The default is 900 seconds (15 minutes). The supported range is 300 to 86400, inclusive.
Multi-user IP Exclusions	Specifies a comma-separated list of IP addresses and IP address ranges of network systems that host multiple users, such as terminal servers.
	Transparent Proxy Authentication Use this page when Content Gateway is a transparent proxy. For more information, see Transparent proxy authentication settings.
Redirect Hostname (optional)	Specifies an alternate hostname for the proxy that can be resolved by DNS for all clients on the network. Note: Redirect Hostname is not needed and does not apply to Integrated Windows Authentication (IWA).
Authentication Mode	When transparent proxy authentication is configured, Content Gateway must be set to an authentication mode: IP mode (the default) causes the client IP address to be associated with a username when a session is authenticated. Requests made from that IP address are not authenticated again until the Session TTL expires. The default is 15 minutes. Cookie mode is used to uniquely identify users who share a single IP address, such as, for example, in environments where proxy-chaining is used or where network address translation (NAT) occurs.
Session TTL	Specifies the length of time, in minutes, before the client must re-authenticate. This is required for both IP and Cookie modes. The default is 15 minutes. The supported range of values is 5-65535 minutes.
	LDAP
The LDAP configuration options appear on the Configure pane only if you have enabled LDAP in the Features table on the Configure > My Proxy > Basic > General tab. For more information on configuring LDAP see LDAP authentication.
Purge Cache on Authentication Failure	When this option is enabled, Content Gateway deletes the authorization entry for the client in the LDAP cache if authorization fails.
LDAP Server: Hostname	Specifies the hostname of the LDAP server. If you change this option, you must restart Content Gateway.
LDAP Server: Port	Specifies the port used for LDAP communication. The default port number is 389. If you change this option, you must restart Content Gateway.
LDAP Server: Secure LDAP	Specifies whether Content Gateway will use secure communication with the LDAP server. If enabled, set the LDAP Port field (above) to 636 or 3269 (the secure LDAP ports).
LDAP Server: Server Type	Specifies the search filter. Select either Active Directory or other directory services.
LDAP Server: Bind Distinguished Name	Specifies the Full Distinguished Name (fully qualified name) of a user in the LDAP-based directory service. For example: CN=John Smith,CN=USERS,DC=MYCOMPANY, DC=COM Enter a maximum of 128 characters in this field. If you do not specify a value for this field, the proxy attempts to bind anonymously.
LDAP Server: Password	Specifies a password for the user identified in the Bind_DN field.
LDAP Server: Base Distinguished Name	Specifies the base Distinguished Name (DN). You can obtain this value from your LDAP administrator. You must specify a correct base DN; otherwise LDAP authentication will fail to operate. If you change this option, you must restart Content Gateway.
	Radius
The Radius configuration options appear on the Configure pane only if you have enabled Radius in the Features table on the Configure > My Proxy > Basic > General tab. For more information on configuring Radius, see RADIUS authentication.
Primary Radius Server: Hostname	Specifies the hostname or IP address of the primary RADIUS authentication server. If you change this option, you must restart Content Gateway.
Primary Radius Server: Port	Specifies the port that Content Gateway uses to communicate with the primary RADIUS authentication server. The default port is 1812. If you change this option, you must restart Content Gateway.
Primary Radius Server: Shared Key	Specifies the key to use for encoding. If you change this option, you must restart Content Gateway.
Secondary Radius Server (optional): Hostname	Specifies the hostname or IP address of the secondary RADIUS authentication server. If you change this option, you must restart Content Gateway.
Secondary Radius Server (optional): Port	Specifies the port that Content Gateway uses to communicate with the secondary RADIUS authentication server. The default port is 1812. If you change this option, you must restart Content Gateway.
Secondary Radius Server (optional): Shared Key	Specifies the key to use for encoding. If you change this option, you must restart Content Gateway.
	Legacy NTLM
The NTLM configuration options appear on the Configure pane only if you have enabled NTLM in the Features table on the Configure > My Proxy > Basic > General tab. For more information on configuring NTLM, see Legacy NTLM authentication.
Domain Controller Hostnames	Specifies the hostnames of the domain controllers in a comma separated list. The format is: host_name[:port][%netbios_name] or IP_address[:port][%netbios_name] If you are using Active Directory 2008, you must include the netbios_name or use SMB port 445. If you change this option, you must restart Content Gateway.
Load Balancing	Enables or disables load balancing. When enabled, Content Gateway balances the load when sending authentication requests to the domain controllers. Note: When multiple domain controllers are specified, even if load balancing is disabled, when the load on the primary domain controller reaches the maximum number of connections allowed, new requests are sent to a secondary domain controller as a short-term failover provision, until such time that the primary domain controller can accept new connections. If you change this option, you must restart Content Gateway.
Fail Open	Disabled –Prevents requests from proceeding to the Internet when an authentication failure occurs. Enabled only for critical service failures (default) – Allows requests to proceed if authentication fails because there is no response from the domain controller or because the client is sending badly formatted messages. Enabled for all authentication failures, including incorrect password – Allows requests to proceed for all authentication failures, including password failures. When a fail open setting is enabled, if a Web Security XID agent is configured, an attempt is made to identify the requestor and apply user-based policy. Otherwise, if a policy has been assigned to the client's IP address, that policy is applied. Otherwise, the Default policy is applied.
IP Credentials: NTLM Credential Caching	Enables/disables NTLM credential caching. Applies only when Content Gateway is an explicit proxy.
IP Credentials: Caching TTL	Specifies the time-to-live, in seconds, for NTLM cached Credentials. The default is 900 seconds (15 minutes). The range of supported values is 300 to 86400 seconds.
IP Credentials: Multi-user IP Exclusions	Specifies a comma separated list of multi-user IP addresses and IP address ranges for terminal servers, NAT firewalls, etc. Credentials for these users are not cached.
	Domains
The Domains page appears on the Access Control list only if you have enabled Multiple Realm Authentication in the Features table on the Configure > My Proxy > Basic > General tab. Use this tab to join domains for which you will create authentication rules. For a complete description of multiple realm authentication, see Multiple realm authentication.
Domain Name	Specifies the fully qualified Windows domain name.
Administrator Name	Specifies the Windows Administrator user name.
Administrator Password	Specifies the Windows Administrator password. Note: The name and password are used only during the join and are not stored.
Domain Controller	Specifies how to locate the domain controller: Auto-detect using DNS DC name or IP address If the domain controller is specified by name or IP address, you can also specify backup domain controllers in a comma separated list.
Content Gateway Hostname	Specifies the Content Gateway hostname. Because IWA uses the hostname as a NetBIOS name when registering with Kerberos, the hostname cannot exceed 15 characters in length (a NetBIOS restriction), or 11 characters on V-Series appliances (V-Series adds 4 characters to the hostname to ensure that the hostname is unique across modules (Doms). IMPORTANT: Once the domain is joined the hostname cannot be changed. If it is, IWA will immediately stop working until the domain is unjoined and then rejoined with the new hostname.
Join Domain	Click Join Domain to join the domain.
Joined Domains list	Displays a list of joined domains.
Unjoin Domain button	To unjoin a domain, select a domain and click the button.
Realm Name	Displays the name of the domain selected in the Joined Domains list.
Fully Qualified Domain Name	Displays the FQDN of the domain selected in the Joined Domains list.
Content Gateway DNS Hostname	Displays the hostname that client browsers must use in the browser proxy setting section when Integrated Windows Authentication (Kerberos) is configured.
Active Directory Site	When Auto-detect using DNS is selected and the domain is joined, this field displays the name of nearest Active Directory site nearest the proxy.
Domain Controller	Specifies how to locate the selected domain controller: Auto-detect using DNS DC name or IP address If the domain controller is specified by name or IP address, you can also specify backup domain controllers in a comma separated list. Domain controllers are used in the order listed.
Active Domain Controller Connections	Lists active domain controller connections.
	Multiple Realm Authentication
In networks with multiple realms (domains that do not share reciprocal trust relationships), rules can be defined to direct sets of IP addresses, traffic from specific inbound ports (explicit proxy only), and/or requests from specific User-Agent strings to specific domain controllers. This feature is also useful in single domain environments when user authentication rules based on IP address ranges, proxy port, or User-Agent values, are needed. For complete information, see Multiple realm authentication.
Authentication	Displays a table listing the rules defined in the auth.config file. IWA, LDAP and NTLM rules can be configured.
Refresh	Updates the table to display the current rules in the auth.config file.
Edit File	Opens the configuration file editor for the auth.config file.
	auth.config Configuration File Editor
rule display box	Lists the rules in auth.config. Select a rule to edit it. The buttons on the left of the box allow you to delete or move the selected rule up or down in the list. Order matters. First match is applied. Rules cannot be more than 512 characters each.
Add	Adds a new rule.
Set	Updates the selected rule with the current values.
Rule Type	Specifies the rule type: Select Integrated Windows Authentication for rules that will apply Kerberos. Select Legacy NTLM to specify rules that will apply the NTLMSSP method. Select LDAP to specify rules that will use LDAP.
Status	Specifies that the rule is enabled or disabled after the rule is saved and Content Gateway is restarted. You can create a rule and not enable it until other elements of your network are ready to support it.
Rule Name	Specifies a descriptive name for the rule (must be unique).
Source IP	Specifies IP addresses or IP address ranges for this rule (must be entered without any spaces). Example: 10.1.1.1 or 0.0.0.0-255.255.255.255 or 10.1.1.1,20.2.2.2,3.0.0.0-3.255.255.255
User-Agent	Specifies 1 or more regular expressions used to match text in the User-Agent string, for example to match common browsers. Regexes must be POSIX-compliant. The "^" operator is not supported. When the field is empty, all User-Agent values match. You can edit the field directly. To insert a predefined regex for a common browser, select it from the drop down list and click Add. Multiple regexes can be specified. Use the "|" character to separate entries (logical 'or'). For more information, including regex examples, see Authentication based on User-Agent.
Proxy Port	Specifies the inbound port for traffic when Content Gateway is deployed as an explicit proxy.
Cookie Mode Caching	Enables/Disables Cookie mode caching. Cookie mode caching is used to uniquely identify users who share a single IP address; for example, in environments where proxy-chaining is used or where network address translation (NAT) occurs. For complete details, see the instructions for creating each authentication realm rule type (Multiple realm authentication). Note: The following special requirements and limitations apply: For transparent deployments, Redirect Hostname must be defined on the Configure > Security > Access Control > Transparent Proxy Authentication tab. When the browser is Internet Explorer, the full proxy hostname in the form "http://host.domain.com" must be added to the Local intranet zone. When the browser is Chrome, it must be configured to allow third-party cookies (this is not set by default), or configured for an exception to allow cookies from the proxy hostname in the form "host.domain.com". When the IP address is set for Cookie Mode and the request method is CONNECT, no caching is performed. When this option is disabled, the global setting is applied. For transparent proxy deployments the global option is set on Configure > Security > Access Control > Transparent Proxy Authentication. For explicit proxy deployments the global option is set on Configure > Security > Access Control > Global Authentication Options.
Advanced Settings: Aliasing	Specifies an alias to send to the filtering service for all users who match this rule. The alias must be static. It can be empty (blank). The alias must exist in the primary domain controller (the DC visible to the filtering service).
IWA Specifiers: Domain/Realm	Specifies the domain (realm) the rule applies to.
NTLM Specifiers: DC List	Specifies the IP address and port number of the primary domain controller (if no port is specified, Content Gateway uses port 139), followed by a comma separated list of secondary domain controllers to be used for load balancing and failover.
NTLM Specifiers: DC Load Balance	Specifies whether load balancing is used: 0 = disabled 1 = enabled Note: When multiple domain controllers are specified, even if load balancing is disabled, when the load on the primary domain controller reaches the maximum number of connections allowed, new requests are sent to a secondary domain controller as a short-term failover provision, until such time that the primary domain controller can accept new connections.
LDAP Specifiers: LDAP Server Name	Specifies the LDAP server name. This option applies to ldap rule types only.
LDAP Specifiers: LDAP Server Port	Specifies the LDAP Server Port (Optional - Default 389)
LDAP Specifiers: LDAP Base Distinguished Name	Specifies the LDAP Base Distinguished Name. This option applies to ldap rule types only.
LDAP Specifiers: Server Type	Sets the search filter to "sAMAccountName" for Active Directory, or to "uid" for other directory services.
LDAP Specifiers: Bind DN	Specifies the LDAP bind account distinguished name.
LDAP Specifiers: Bind Password	Specifies the LDAP bind account password.
LDAP Specifiers: Secure LDAP	Specifies whether Content Gateway will use secure communication with the LDAP server. If enabled, you must set LDAP port to one of the secure ports: 636 or 3269.
LDAP Specifiers: LDAP Attribute Name (Optional)	Specifies the LDAP attribute name.
LDAP Specifiers: LDAP Attribute Value (Optional)	Specifies the LDAP attribute pair.
Apply	Applies the configuration changes.
Close	Exits the configuration file editor. Click Apply before you click Close; otherwise, all configuration changes will be lost.