Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuration Files > auth_rules.config
auth_rules.config
Help | Content Gateway | Version 7.8.x
The auth_rules.config file stores rules that direct specified IP addresses and IP address ranges, and/or traffic on specified inbound ports (explicit proxy only), and/or matching Request header User-Agent values to authenticate with distinct domain controllers. One or more domain controllers can be specified in an ordered list. This feature is called Rule-Based Authentication.
Rule-based authentication rules must be defined in the Content Gateway manager on the Configure > Security > Access Control > Authentication Rules tab. Do not edit this configuration file.
*
Rule-based authentication is supported for Integrated Windows Authentication (IWA), legacy NTLM, and LDAP authentication only.
*
Each authentication rule can specify source IP addresses, inbound port (explicit proxy only), and/or a User-Agent regex
*
Each authentication rule can specify one or more domains in an ordered list. Domains are identified on the Configure > Security > Access Control > Authentication Rules tab. That process includes specifying the authentication method (IWA, Legacy NTLM, LDAP).
*
When a rule matches, authentication is performed against one or more domains in the ordered list. The first successful authentication ends domain list traversal and the authenticating domain is cached for later use.
*
Authentication rules are applied from the list top-down; only the first match is applied. If no rule matches, no user authentication is performed.
 
* 
Note 
If all the users in your network can be authenticated by domain controllers that share trust relationships, you probably don't need rule-based authentication.
However, rule-based authentication can be useful in any deployment that needs to perform special authentication handling based on IP address, inbound proxy port (explicit proxy), and/or User-Agent values.
Format
Each line in auth_rules.config contains an authentication rule that consists of a set of tags, each followed by its value. Authentication rules have the format:
rule_name=<name> src_ip=<IP addresses> user_agent=<regex> <additional tags>
The following table lists all of the tags.
Tags
Allowed value
rule_name
A short, unique name.
enabled
Specifies whether the rule will be active:
*
0 = disabled
*
1 = enabled
src_ip
Takes a comma separated list of IP addresses and IP address ranges. No spaces. If this field is empty, all IP addresses match.
user_agent (optional)
Takes a regular expression that is applied to the user-agent string.
proxy_port (optional)
Takes a port number. Valid with explicit proxy only. Client applications must be configured to send requests to the correct port.
domain_list
An ordered, comma separated list of domains the Content Gateway will attempt to authenticate a matching user with.
use_captive_portal
Specifies whether Captive Portal (available beginning with 7.8.3) is used.
*
0 = disabled
*
1 = enabled using HTTP
*
2 = enabled using HTTPS (available beginning with 7.8.4)

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuration Files > auth_rules.config
Copyright 2016 Forcepoint LLC. All rights reserved.