Content Gateway user authentication

Help | Content Gateway | Version 8.0.x

Related topics:

Browser limitations

Global authentication options

Integrated Windows Authentication

Legacy NTLM authentication

LDAP authentication

RADIUS authentication

Rule-Based Authentication

Mac and iPhone/iPad authentication

Content Gateway supports several methods of authenticating users before their requests are allowed to proceed. These methods can be used together with TRITON AP-WEB user identification (XID) features to provide fallback should user authentication fail or become unavailable.

In both explicit and transparent proxy modes, Content Gateway supports user authentication with:

Integrated Windows Authentication (Kerberos with SPNEGO to NTLM)

Legacy NTLM authentication (NTLMSSP)

LDAP authentication

RADIUS authentication

Content Gateway also supports combinations of Integrated Windows Authentication (IWA), Legacy NTLM, and LDAP using:

Rule-Based Authentication

Rule-Based Authentication summary

Rule-Based Authentication is an ordered list of authentication rules. When a request is processed, the list is traversed top to bottom and the first match is applied.

Rules specify:

How to match a client.

By:

IP address

Inbound proxy port (explicit proxy only)

User-Agent value

A combination of the above

The domain or ordered list of domains to authenticate against. With a list, the first successful authentication is remembered and used in subsequent authentications for that user.

Whether a customizable web portal page should be used for authentication.

Multiple Realm Networks: Rule-Based Authentication supports multiple realm network structures in which Windows Active Directory domains do not have mutual trust relationships and therefore require that each domain's members be authenticated by a domain controller within their domain. In this environment rules are created that specify:

Members of the realm (untrusted domain) by IP address or proxy port

The realm (domain) they belong to

Authenticating when domain membership is unknown: Some organizations do not always know what domain a user belongs to. For example, this can happen when organizations are rapidly acquiring new businesses. The unknown domain membership problem can be handled in rule-based authentication by creating a rule (or rules) for IP address lists or ranges that also specifies an ordered list of domains to attempt to authenticate against. The first successful authentication is remembered and used in later authentications.

Authentication based on User-Agent value: One or more User-Agent values can be specified in an authentication rule. Often this is a list of browsers. When the User-Agent value matches a rule, authentication is performed against the specified domain(s). If the User-Agent value doesn't match any rule, and no rule matches based on other values, no authentication is performed (this is always true; if no rule matches, no authentication is performed).

Selecting the authentication method

The authentication method is selected in the Authentication section of the Configure > My Proxy > Basic page. Configuring authentication for rule-based authentication begins with selecting Rule-Based Authentication.

Supported domain controllers and directories

Windows NT domain controllers

Windows 2003, 2008, 2012 Active Directory

Novell eDirectory 8.7 and 8.8 (LDAP only)

Oracle DSEE 11g, Sun Java 7 and 6.2 (LDAP only)

Best practices when using Windows Active Directory

If you have only one Active Directory domain, or if all of your Active Directory domains share inbound and outbound trust relationships, the best option is to deploy Integrated Windows Authentication. However, if you want to control authentication based on User-Agent values, you must use Rule-Based Authentication.

If you have multiple domains or realms and user authentication is a requirement, you must use Rule-Based Authentication. For details, see Rule-Based Authentication.

If user identification is sufficient, you can use one of the TRITON AP-WEB user identification options. See the section titled User Identification in the Administrator Help for the Web module of the TRITON Manager.

Backup domain controllers

For Integrated Windows Authentication and Legacy NTLM, Content Gateway supports the specification of backup domain controllers for failover. If the primary domain controller (DC) does not respond to proxy requests, Content Gateway contacts the next DC in the list (the backup domain controller). For the next request, the proxy tries to contact the primary DC again and then contacts the backup DC if the connection fails.

Transparent user authentication

Content Gateway supports both transparent (Single Sign-On) and interactive (prompted) authentication. Transparent authentication is supported with Integrated Windows Authentication and Legacy NTLM. Some browsers provide only limited support. See Browser limitations.

On Windows networks, Single Sign-On allows users to sign on only once so that they can transparently access all authorized network resources. Therefore, if a user has already logged on to the Windows network successfully, the credentials specified during Windows logon are used for proxy authentication and the user is not prompted again for a username and password.

[Interactive authentication is supported in networks that are not configured for Single Sign-On and for use with browsers that don't support Single Sign-On. With interactive authentication, users are prompted for credentials before they can access content through Content Gateway.