Support

Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Security > Proxy user authentication > Multiple realm authentication > Creating an Integrated Windows Authentication realm rule
Creating an Integrated Windows Authentication realm rule
Help | Content Gateway | Version 7.7.3
Before creating a realm rule for Integrated Windows Authentication, you need to know:
*
The name of the domain that the rule applies to.
*
The set of client IP addresses that the rule applies to. These can be a mix of individual IP addresses and/or IP address ranges.
*
And/or the unique port number on which traffic is inbound to the proxy (explicit proxy only)
*
And/or the Request header User-Agent values that the rule applies to.
*
Or, a combination of the above (port number is explicit proxy only)
 
* 
Note 
After entering all specifiers, you must click Add before you click Apply. If Apply is clicked first, or the edit window is closed, all of the entry fields are cleared.
The size of a rule cannot exceed 512 characters.
1.
In Content Gateway Manager, go to Configure > Security > Access Control and review or specify the Domain, Global Authentication Options, and, if applicable, Transparent Proxy Authentication settings.
2.
If needed, on the Domains tab join the domain (realm).
3.
Go to the Configure > Security > Access Control > Authentication Realms tab. A list of all existing authentication realm rules is displayed at the top of the page.
4.
Click Edit file to open the rule editor.
5.
Select Integrated Windows Authentication from the Rule Type drop down list.
6.
Select Enable if you want the rule to be active when the rule definition process is complete (after the rule is added and the proxy is restarted).
7.
Give the rule a unique Rule Name. A short, descriptive name makes administration of rules easier.
8.
If the rule is to be applied to specific IP addresses, in the Source IP field, enter a comma-separated list of individual IP addresses and/or IP address ranges. Do not use spaces. For example:
10.4.1.1,10.12.1.1-10.12.254.254
Source IP address ranges can overlap. Overlapping ranges may be useful as a quick way of identifying sub-groups in a large pool.
In overlapping ranges, the first match is used.
9.
To apply the rule to specific User-Agent values, enter POSIX-compliant regular expressions (regex) to match the desired values. To specify a common browser type, select a predefined regex from the drop down list and click Add.
When the field is empty, all User-Agents match.
You can edit the field directly.
Use the "|" character (logical 'or') to separate regexes.
The "^" regex operator is not supported.
When the rule is added or updated with the Add or Set button, the regex is validated. If the regex is not valid, the rule is not added or modified.
For an extended description and examples, see Authentication based on User-Agent.
10.
If the rule is for traffic coming in on a specific port, select the Proxy Port from the drop down list. This option is valid with explicit proxy only.
11.
Cookie Mode Caching: When users are NATed or are routed through a proxy chain, resulting in multiple users with the same IP address, you can enable Cookie Mode Caching to identify unique users and cache their credentials.
 
 
Note 
IP address caching is recommended when users have unique IP addresses.
Several special requirements and limitations apply:
*
For transparent deployments, Redirect Hostname must be defined on the Configure > Security > Access Control > Transparent Proxy Authentication tab.
*
When the browser is Internet Explorer, the full proxy hostname in the form "http://host.domain.com" must be added to the Local intranet zone.
*
When the browser is Chrome, it must be configured to allow third-party cookies (this is not set by default), or configured for an exception to allow cookies from the proxy hostname in the form "host.domain.com".
*
When the IP address is set for Cookie Mode and the request method is CONNECT, no caching is performed.
When this option is disabled, the global setting is applied. For transparent proxy deployments, the global option is set on Configure > Security > Access Control > Transparent Proxy Authentication. For explicit proxy deployments, the global option is set on Configure > Security > Access Control > Global Authentication Options.
 
* 
Note 
Cookie mode caching does not work with applications that do not support cookies, or with browsers in which cookie support has been disabled.
12.
To specify an alias name to send to Filtering Service, enable Aliasing. In the entry field, specify the name to use. If the field is left blank, Web Security behaves as configured when servicing requests that do not include a user name. For more information about aliasing, see Unknown users and the 'alias' option.
13.
In the Integrated Windows Authentication Specifiers section, in the Domain/Realm drop down list, select the realm that the rule applies.
14.
Click Add to add the rule.
15.
At the top of the page, check and adjust the position of the rule in the rule list. The first rule matched is applied.
16.
Click Apply and then restart Content Gateway to put the rule into effect.
 
* 
Warning 
If a rule has invalid values, a warning message displays that identifies the invalid rule.
Print print article Email email article Font Size: A A

Search

Article Rating:

Do you have any additional feedback?    Email: close

Related Articles

Quick Links

Service Requests

How are we doing?

Provide us feedback on your experience with the Service Request portal.

provide feedback >

Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Security > Proxy user authentication > Multiple realm authentication > Creating an Integrated Windows Authentication realm rule