Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Authentication based on User-Agent
In an authentication rule, a Request header User-Agent value can be used to determine if user authentication will be performed. This is useful when you want to authenticate users using a known set of client applications, usually browsers, and allow other applications, often a set of applications that don't support authentication, to proceed without authentication. Such rules can also specify IP addresses and, if Content Gateway is an explicit proxy, inbound proxy port.
As with all authentication rules, the first matching rule is applied. (For a complete description of rule-based authentication, see Rule-Based Authentication.)
When the User-Agent field is used, the critical element is the regular expression (regex) that preforms the match.
*
*
*
*
*
*
When you click Apply (after Add or Set), the regex is parsed and validated. If the regex is not valid, the rule is deleted and must be recreated with a valid regex.
Following are a few examples of custom regexes.
Microsoft Internet Explorer 7, 8, or 9:
MSIE ([7-9]{1}[\.0-9]{0})
Example User-Agent string:
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Microsoft Internet Explorer Mobile, all versions:
IEMobile
Example User-Agent string:
Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0)
Apple iPhone, all versions:
(iPhone) OS (\d+)_(\d+)(?:_(\d+))?
Example User-Agent string:
Mozilla/5.0 (iPod; U; CPU iPhone OS 4_3_3 like Mac OS X; ja-jp) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5
Apple iPad, all versions:
(iPad).+ OS (\d+)_(\d+)(?:_(\d+))?
Example User-Agent string:
Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25
Search the Internet for lists of User-Agent strings, example regular expressions, regex checkers, and related resources.
Use case:
This describes a case in which an organization with a single domain wants to authenticate requests from 2 common web browsers. They also want to bypass authentication for web applications that do not support authentication.
An organization—let's call it Best Corp—uses Content Gateway. They have one domain (BCORP), and one domain controller. They use IWA to authenticate users.
Best Corp wants to ensure that:
*
*
The User-Agent feature of rule-based authentication makes this possible.
To configure the solution, Best Corp:
1.
2.
3.
a.
b.
In the User-Agent field, they use the Predefined drop down list to select and Add Internet Explorer and Firefox. The regex looks like:
MSIE*|Firefox*
That's it. With this configuration, all requests from Internet Explorer and Firefox, the only 2 browsers that can be installed on their computers, are subject to user authentication. All other requests, most particularly web applications, bypass authentication. To further customize the approach, Best Corp could create other authentication rules and/or add proxy filtering rules (filter.config) to deny or bypass specific applications by User-Agent value.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2016 Forcepoint LLC. All rights reserved.