Filtering	Displays an order list of filtering rules. Three filtering rules are configured by default. The first denies traffic on port 25 to all destinations. The second and third bypass user authentication for connections to 2 ThreatScope destinations.
Refresh	Updates the table to display the most up-to-date rules in the filter.config file.
Edit File	Opens the configuration file editor for the filter.config file.
	filter.config Configuration File Editor
rule display box	Lists the rules currently stored in filter.config. Select a rule to edit it. The buttons on the left of the box allow you to delete or move the selected rule up or down in the list.
Add	Adds a new rule to the rule display box at the top of the configuration file editor page. Click Add after selecting or entering values for the rule.
Set	Updates the rule display box at the top of the configuration file editor page.
Rule Type	Specifies the rule type: Select allow to allow particular URL requests to bypass authentication. Select deny to deny requests for objects from specific destinations. When a request is denied, the client receives an access denied message. Select keep_hdr to specify which client request header information you want to keep. Select strip_hdr to specify which client request header information you want to strip. Select add_hdr to cause a custom header to be added to the request. This rule type requires that values be defined for Custom Header and Header Value. Add custom headers to satisfy specific requirements of a destination domain. See Filtering Rules. The radius rule type is not supported.
Primary Destination Type	Lists the primary destination types: dest_domain is a requested domain name. dest_host is a requested host name. dest_ip is a requested IP address. url_regex is a regular expression to be found in a URL.
Primary Destination Value	Specifies the value of the Primary Destination Type. For example, if the Primary Destination Type is dest_ip, the value for this field might be 123.456.78.9.
Additional Specifiers: Header Type	Specifies the client request header information that you want to keep or strip. This option applies to only keep_hdr or strip_hdr rule types.
Additional Specifiers: Realm (optional)	Not supported.
Additional Specifiers: Proxy Port (optional)	Specifies the proxy port to match for this rule.
Additional Specifiers: Custom Header (optional)	For use when the rule type is add_hdr. Specifies the custom header name that the destination domain expects to find in the request.
Additional Specifiers: Header Value (optional)	For use when the rule type is add_hdr. Specifies the custom header value that the destination domain expects to be paired with the custom header.
Secondary Specifiers: Time	Specifies a time range, such as 08:00-14:00.
Secondary Specifiers: Prefix	Specifies a prefix in the path part of a URL.
Secondary Specifiers: Suffix	Specifies a file suffix in the URL.
Secondary Specifiers: Source IP	Specifies the IP address of the client.
Secondary Specifiers: Port	Specifies the port in a requested URL.
Secondary Specifiers: Method	Specifies a request URL method: get post put trace
Secondary Specifiers: Scheme	Specifies the protocol of a requested URL. Options are: HTTP HTTPS FTP (for FTP over HTTP only) rtsp and mms are not supported.
Secondary Specifiers: User-Agent	Specifies the Request header User-Agent value. Use this field to create application filtering rules that: Allow applications that don't properly handle authentication challenges to bypass authentication Block specified client-based applications from accessing the Internet
Apply	Applies the configuration changes.
Close	Exits the configuration file editor. Click Apply before you click Close; otherwise, all configuration changes will be lost.

Note  The user interface setting to disable the NTLM cache for explicit proxy has been removed. Although not recommended, the cache can be disabled for explicit proxy traffic in records.config by setting the value of proxy.config.ntlm.cache.enabled to 0 (zero).

Global Configuration Options
Fail Open	Disabled – Prevents requests from proceeding to the Internet when an authentication failure occurs. Enabled only for critical service failures (default) – Allows requests to proceed if authentication fails because there is no response from the domain controller or because the client is sending badly formatted messages. Enabled for all authentication failures – Allows requests to proceed for all authentication failures, including password failures. When a fail open setting is enabled, if a Web Security XID agent is configured an attempt is made to identify the requestor and apply user-based policy. Otherwise, if a policy has been assigned to the client's IP address, that policy is applied. Otherwise, the Default policy is applied. Important: When user authentication is rule-based with a domain list: If Enabled only for critical service failures is selected, when a critical service failure occurs fail open is not applied. An error always results in fail closed. If Enabled for all authentication failures, including incorrect password is selected, after trying basic credentials with every domain in the list, fail open is applied. Important: The Fail Open setting does not apply when IWA is the authentication method and the client fails to retrieve a kerberos ticket from the domain controller (DC) because the DC is down. The Fail Open setting does apply with IWA when IWA falls back to NTLM and authentication fails.
Credential Caching: Caching Method	Cache using IP address only – specifies that all credentials are cached with IP address surrogates. This is the recommended method when all clients have unique IP addresses. Cache using Cookies only – specifies that all credentials are cached with cookie surrogates. This is recommended when all clients share IP addresses, as with multi-host servers such as Citrix servers, or when traffic is NATed by a device that is forwarding traffic to Content Gateway. Cache using both IP addresses and Cookies – specifies to use cookie surrogates for the IP addresses listed in the cookie caching list, and to use IP address surrogates for all other IP addresses. This is recommended when the network has a mix of clients, some with unique IP addresses and some using multi-user hosts or that are subject to NATing. For a description of surrogate credentials, see Surrogate credentials. Important: Cookie mode caching does not work with applications that do not support cookies, or with browsers in which cookie support has been disabled. When the browser is Internet Explorer, the full proxy hostname in the form "http://host.domain.com" must be added to the Local intranet zone. When the browser is Chrome, it must be configured to allow third-party cookies or configured for an exception to allow cookies from the proxy hostname in the form "host.domain.com". When the IP address is set for cookie mode and the request method is CONNECT, no caching is performed. Cookie mode caching is not performed for FTP requests. Cookie mode caching is not supported by the 7.8.3 version of Captive Portal. Support for cookie mode caching was added for Captive Portal in 7.8.4.
Credential Caching: Time-To-Live	Specifies the duration, in minutes, that an entry in the cache is retained. When the TTL expires, the entry is removed and the next time that that user submits a request, the user is authenticated. If the authentication succeeds, an entry is placed in the cache.
Purge LDAP cache on authentication failure	Specifies that when an LDAP user authentication failure occurs, Content Gateway will delete the authorization record for that client from the LDAP cache.
Redirect Hostname	For transparent proxy, specifies an alternate hostname for the proxy that all clients on the network can resolve. Required. For complete information see Redirect Hostname.

Integrated Windows Authentication
Domain Name	Specifies the fully qualified Windows domain name.
Administrator Name	Specifies the Windows Administrator user name.
Administrator Password	Specifies the Windows Administrator password. Note: The name and password are used only during the join and are not stored.
Domain Controller	Specifies how to locate the domain controller: Auto-detect using DNS DC name or IP address If the domain controller is specified by name or IP address, you can also specify backup domain controllers in a comma separated list.
Content Gateway Hostname	Specifies the Content Gateway hostname. Because IWA uses the hostname as a NetBIOS name when registering with Kerberos, the hostname cannot exceed 15 characters in length (a NetBIOS restriction), or 11 characters on V-Series appliances (V-Series adds 4 characters to the hostname to ensure that the hostname is unique across modules (Doms). IMPORTANT: Once the domain is joined the hostname cannot be changed. If it is, IWA will immediately stop working until the domain is unjoined and then rejoined with the new hostname.
Join Domain	Click Join Domain to join the domain.

LDAP
LDAP Server: Hostname	Specifies the hostname of the LDAP server. If you change this option, you must restart Content Gateway.
LDAP Server: Port	Specifies the port used for LDAP communication. The default port number is 389. To use the default Global Catalog server port, specify port 3268. If Secure LDAP is enabled, set the port to 636 or 3269 (the secure LDAP ports). If you change this option, you must restart Content Gateway.
LDAP Server: Secure LDAP	Specifies whether Content Gateway will use secure communication with the LDAP server. If enabled, set the LDAP Port field (above) to 636 or 3269 (the secure LDAP ports).
LDAP Server: Server Type	Specifies the search filter. Select either Microsoft Active Directory or other directory services.
LDAP Server: Bind Distinguished Name	Specifies the Full Distinguished Name (fully qualified name) of a user in the LDAP-based directory service. For example: CN=John Smith,CN=USERS,DC=MYCOMPANY, DC=COM Enter a maximum of 128 characters in this field. If you do not specify a value for this field, the proxy attempts to bind anonymously.
LDAP Server: Password	Specifies a password for the user identified in the Bind_DN field.
LDAP Server: Base Distinguished Name	Specifies the base Distinguished Name (DN). You can obtain this value from your LDAP administrator. You must specify a correct base DN; otherwise LDAP authentication will fail to operate. If you change this option, you must restart Content Gateway.

Radius
Primary Radius Server: Hostname	Specifies the hostname or IP address of the primary RADIUS authentication server. If you change this option, you must restart Content Gateway.
Primary Radius Server: Port	Specifies the port that Content Gateway uses to communicate with the primary RADIUS authentication server. The default port is 1812. If you change this option, you must restart Content Gateway.
Primary Radius Server: Shared Key	Specifies the key to use for encoding. If you change this option, you must restart Content Gateway.
Secondary Radius Server (optional): Hostname	Specifies the hostname or IP address of the secondary RADIUS authentication server. If you change this option, you must restart Content Gateway.
Secondary Radius Server (optional): Port	Specifies the port that Content Gateway uses to communicate with the secondary RADIUS authentication server. The default port is 1812. If you change this option, you must restart Content Gateway.
Secondary Radius Server (optional): Shared Key	Specifies the key to use for encoding. If you change this option, you must restart Content Gateway.

NTLM
Domain Controller Hostnames	Specifies the hostnames of the domain controllers in a comma separated list. The format is: host_name[:port][%netbios_name] or IP_address[:port][%netbios_name] If you are using Active Directory 2008, you must include the netbios_name or use SMB port 445. If you change this option, you must restart Content Gateway.
Load Balancing	Enables or disables load balancing. When enabled, Content Gateway balances the load when sending authentication requests to the domain controllers. Note: When multiple domain controllers are specified, even if load balancing is disabled, when the load on the primary domain controller reaches the maximum number of connections allowed, new requests are sent to a secondary domain controller as a short-term failover provision, until such time that the primary domain controller can accept new connections. If you change this option, you must restart Content Gateway.

Important  You must configure the Domains list before you configure authentication rules. If you have never configured rule-based authentication, see Rule-Based Authentication, for complete information.

Domains
Domain List	An unordered list of domains that have been identified for use in authentication rules. Use the Edit button to change some attributes associated with the domain. Use the Delete or Unjoin button to remove a domain from the list. The domain list is stored in auth_domains.config.
Domain list: New Domain button	Use the New Domain button to add a domain to the Domains list. The screen is expanded to allow for specification of the domain.
	New Domain action
Domain Details: Domain Identifier	Specify a unique name for the domain. The name is used only by Content Gateway; it does not change any attribute of the actual domain or directory. Important: You cannot change the domain identifier after it has been added to the list. To change the name, delete the entry from the list and re-add it with the new name.
Domain Details: Authentication Method	Specify the authentication method: IWA, Legacy NTLM, or LDAP. Radius is not supported. When you select an authentication method, configuration options specific to that method are added to the page. Important: You cannot change the authentication method after you add the domain to the list. To change the authentication method, delete the entry from the list and re-add the domain specifying the new authentication method.
Domain Details: Aliasing	Specify an alias to send to the filtering service for all users who match this rule (optional). The alias must be static. It can be empty (blank). The alias must exist in the primary domain controller (the DC visible to the filtering service). See Unknown users and the 'alias' option.
IWA Domain Details	These options are presented when IWA is specified as the authentication method.
Domain Name	Specify the fully qualified domain name. For example: corp-domain.example.com
Administrator Name	Specify a Windows Active Directory domain administrator user name.
Administrator Password	Specify the corresponding domain administrator password. Note: The name and password are used only during the join and are not stored.
Domain Controller	Specify how to locate the domain controller: Auto-detect using DNS DC name or IP address If the domain controller is specified by name or IP address, you can also specify backup domain controllers in a comma separated list.
Content Gateway Hostname	Specify the Content Gateway hostname. Because IWA uses the hostname as a NetBIOS name when registering with Kerberos, the hostname cannot exceed 15 characters in length (a NetBIOS restriction), or 11 characters on V-Series appliances (V-Series adds 4 characters to the hostname to ensure that the hostname is unique across modules (Doms). Warning: Once the domain is joined the hostname cannot be changed. If it is, IWA will immediately stop working until the domain is unjoined and then rejoined with the new hostname.
Join Domain	Click Join Domain to join the domain.
Legacy NTLM Domain Details
Domain Controller	Specify the IP address and port number of the primary domain controller (if no port is specified, Content Gateway uses port 139), followed by a comma separated list of secondary domain controllers to be used for load balancing and failover.
Load Balance	Select the check box to balance the load across multiple NTLM DCs. Note: When multiple domain controllers are specified, even if load balancing is disabled, when the load on the primary domain controller reaches the maximum number of connections allowed, new requests are sent to a secondary domain controller as a short-term failover provision, until such time that the primary domain controller can accept new connections.
LDAP Domain Details
LDAP Server Name	Specify the LDAP server name.
LDAP Server Port	Specify the LDAP Server Port (optional) The default is 389.
LDAP Base Distinguished Name	Specify the LDAP Base Distinguished Name.
LDAP Server Type	Set the search filter to "sAMAccountName" for Active Directory, or "uid" for other directory services.
Bind Domain Name	Specify the LDAP bind account distinguished name. For example: CN=John Smith,CN=USERS,DC=MYCOMPANY, DC=COM The field length is limited to 128 characters. If no value is specified, Content Gateway attempts to bind anonymously.
Bind Password	Specify the LDAP bind account password.
Secure LDAP	Specify whether Content Gateway will use secure communication with the LDAP server. If enabled, you must set the LDAP port to one of the secure ports: 636 or 3269.

Important  If you have never configured rule-based authentication, see Rule-Based Authentication, for complete information.

Authentication Rules
Authentication Rule List	Displays a table of the ordered list of rules defined for user authentication. Rules are defined for sets of clients to be authenticated against one or more IWA, LDAP and NTLM domains. See Rule-Based Authentication.
Refresh	Updates the table to display the current rules in the auth_rules.config file.
Edit File	Opens the authentication rule editor. Warning: Do not edit rules directly in the configuration file.
	auth_rules.config Configuration File Editor
rule display box	Lists, in order, the current rule set. When user authentication is performed, the list is traversed, top-down and the first match is applied. Select a rule to edit it. The arrows to the left of the box allow you to move the selected rule up or down in the list. The "X" button deletes the selected rule. Rules cannot be more than 512 characters.
Add	Adds a new rule.
Set	Updates the selected rule with the current values.
Status	Specifies whether the rule is enabled (active) or disabled after the rule is saved and Content Gateway is restarted. You can create a rule and not enable it until other elements of your network are ready to support it.
Rule Name	Specifies a unique, descriptive name for the rule. It is recommended that the name not exceed 50 characters.
Source IP	Specifies IP addresses or IP address ranges for this rule (must be entered without any spaces). Example: 10.1.1.1 or 0.0.0.0-255.255.255.255 or 10.1.1.1,20.2.2.2,3.0.0.0-3.255.255.255
Proxy Port	Specifies the inbound port for traffic when Content Gateway is deployed as an explicit proxy. If undefined, all ports match, as configured on Configure > Protocols > HTTP > General. Transparent proxy deployment should leave this field undefined.
User-Agent	Specifies 1 or more regular expressions used to match text in the User-Agent string, for example to match common browsers. Regexes must be POSIX-compliant. The "^" operator is not supported. When the field is empty, all User-Agent values match. You can edit the field directly. To insert a predefined regex for a common browser, select it from the drop down list and click Add. Multiple regexes can be specified. Use the "|" character to separate entries (logical 'or'). For more information, including regex examples, see Authentication based on User-Agent.
Auth Sequence	Specifies 1 or more domains to use for authentication. Select a domain from the Domains drop down list (populated from the Domains List), and click Include to add it to the list. If you add more than one domain, you can set the order by selecting an entry and using the up and down arrows. You can delete a selected domain with the "X" button. Best practice: If you know what domain a set of users belongs to, create a rule just for that group. Best practice: Place the rule with the largest number of users authenticating with known domain membership at the top of the list. These are the fastest authentications. Best practice: If you don't know what domain a set of users belongs to, specify the fewest number of domains needed to authenticate the users in the set. Best practice: It is always better to create targeted rules because attempting to authenticate against a large set of domains can introduce noticeable latency. Important: When user authentication is rule-based with a domain list: For each user, the first successful authentication is cached and used in subsequent authentications. If IP address caching is configured, an IP address surrogate is cached. If Cookie Mode is configured, a cookie surrogate is cached. For Fail Open: If Enabled only for critical service failures is selected, the fail open setting is not applied. The user continues to be prompted for credentials until there is a timeout. If Enabled for all authentication failures, including incorrect password is selected, after trying basic credentials with every domain in the list, fail open is applied.
Captive Portal	Click Enabled (7.8.3) or Enabled for HTTPS/HTTP Authentication page (beginning with 7.8.4) to redirect users to a customizable web portal page for authentication. See Authentication using Captive Portal for details.
Apply	Applies the configuration changes. Important: If the rule specifies a regex for User-Agent, the regex is validated when Apply is clicked. If the regex is not valid, the rule is deleted and must be recreated.
Close	Exits the configuration file editor. Click Apply before you click Close; otherwise, all configuration changes will be lost.