Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Security > Content Gateway user authentication > Global authentication options
Global authentication options
Help | Content Gateway | Version 8.0.x
Use the Configuration > Security > Access Control > Global Authentication Options page to configure:
*
User authentication Fail Open/fail closed behavior
*
Credential Caching options
*
The Redirect Hostname (required for transparent proxy deployments)
These settings apply to all proxy user authentication configurations, within the parameters stated for each option below.
Whenever changes are made to any of these settings, click Apply to save your changes and then restart the proxy to put the changes into effect.
Fail Open
Fail Open specifies whether requests are allowed to proceed for processing when user authentication fails.
When Fail Open is enabled and a TRITON AP-WEB XID agent is configured, if authentication fails and the client is identified by the XID agent, user-based policy is applied. If the user cannot be identified and a policy is assigned to the client's IP address, that policy is applied. Otherwise, the Default policy is applied.
 
* 
Important 
The Fail Open setting does not apply when IWA is the authentication method and the client fails to retrieve a kerberos ticket from the domain controller (DC) because the DC is down.
The Fail Open setting does apply with IWA when IWA falls back to NTLM.
Options include:
*
Disabled – specifies that requests do not proceed when authentication failures occur.
*
Enabled only for critical service failures (default) – specifies that requests proceed if authentication fails due to:
*
No response from the domain controller
*
The client is sending badly formatted messages
*
Enabled for all authentication failures, including incorrect password – specifies that requests proceed for all authentication failures, including password failures.
 
* 
Important 
When user authentication is rule-based with a domain list:
*
If Enabled only for critical service failures is selected, when a critical service failure occurs fail open is not applied. An error always results in fail closed.
*
If Enabled for all authentication failures, including incorrect password is selected, after trying basic credentials with every domain in the list, fail open is applied.
Credential Caching
Credential Caching options include:
*
Caching Method
*
Cache Time-To-Live (TTL), in minutes
*
LDAP Specific Settings
Credential caching settings apply to all clients whether Content Gateway is an explicit or transparent proxy.
Credential caching applies to:
*
All authentication methods when Content Gateway is a transparent proxy
*
When Content Gateway is an explicit proxy:
*
NTLM when Integrated Windows Authentication (IWA) falls back to or negotiates NTLM
*
Legacy NTLM
When IWA authenticates with Kerberos, Kerberos handles ticket (credential) caching.
Caching Method options:
Cache using IP address only – specifies that all credentials are cached with IP address surrogates. This is the recommended method when all clients have unique IP addresses.
Cache using Cookies only – specifies that all credentials are cached with cookie surrogates. This is recommended when all clients share IP addresses, as with multi-host servers such as Citrix servers, or when traffic is NATed by a device that is forwarding traffic to Content Gateway.
Cache using both IP addresses and Cookies – specifies to use cookie surrogates for the IP addresses listed in the cookie caching list, and to use IP address surrogates for all other IP addresses. This is recommended when the network has a mix of clients, some with unique IP addresses and some using multi-user hosts or that are subject to NATing.
For a description of surrogate credentials, see Surrogate credentials.
 
* 
Important 
Cookie mode caching:
*
Cookie mode caching does not work with applications that do not support cookies, or with browsers in which cookie support has been disabled.
*
When the browser is Internet Explorer, the full proxy hostname in the form "http://host.domain.com" must be added to the Local intranet zone.
*
When the browser is Chrome, it must be configured to allow third-party cookies or configured for an exception to allow cookies from the proxy hostname in the form "host.domain.com".
*
When the IP address is set for cookie mode and the request method is CONNECT, no caching is performed.
*
Cookie mode caching is not performed for FTP requests.
*
Cookie mode caching is supported by Captive Portal.
 
* 
Note 
The user interface setting to disable the NTLM cache for explicit proxy has been removed. Although not recommended, the cache can be disabled for explicit proxy traffic in records.config by setting the value of proxy.config.ntlm.cache.enabled to 0 (zero).
Cache Time-To-Live
Cache Time-To-Live (TTL) specifies the duration, in minutes, that an entry in the cache is retained. When the TTL expires, the entry is removed and the next time that that user submits a request, the user is authenticated. If the authentication succeeds, an entry is placed in the cache.
The default TTL is 15 minutes. The range of valid values is 5 to 1440 minutes.
LDAP Specific Settings
When enabled, Purge LDAP cache on authentication failure causes the proxy to delete the authorization record for the client from the LDAP cache when an LDAP user authentication failure occurs.
Redirect Hostname
Redirect Hostname specifies an alternate hostname for the proxy.
 
* 
Note 
Redirect Hostname is not used by Integrated Windows Authentication.
By default, authenticating clients are redirected to the hostname of the Content Gateway machine. If clients are unable to resolve that hostname through DNS, or if an alternate DNS name for the proxy is defined, that hostname should be specified in the Redirect Hostname field.
 
* 
Note 
To ensure that user authentication for transparent proxy occurs transparently (without prompting the user for credentials), the browser must be configured so that the Redirect Hostname is in its Intranet Zone. Typically, this is achieved by ensuring that the Redirect Hostname is in the same domain as the computer on which the browser is running. For example, if the client is workstation.example.com and the Redirect Hostname is proxyhostname.example.com, the browser allows authentication to occur transparently. Consult your browser documentation.
 
* 
Note 
Content Gateway supports transparent authentication in proxy clusters that use WCCP load distribution. However, the assignment method distribution attribute must be the source IP address. For more information see WCCP load distribution.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Security > Content Gateway user authentication > Global authentication options
Copyright 2016 Forcepoint LLC. All rights reserved.