Authentication based on User-Agent

In an authentication rule, a Request header User-Agent value can be used to determine if user authentication will be performed. This is useful when you want to authenticate users using a known set of client applications, usually browsers, and allow other applications, often a set of applications that don't support authentication, to proceed without authentication. Such rules can also specify IP addresses and, if Content Gateway is an explicit proxy, inbound proxy port.

As with all authentication rules, the first matching rule is applied. (For a complete description of rule-based authentication, see Rule-Based Authentication.)

When the User-Agent field is used, the critical element is the regular expression (regex) that preforms the match.

The regex must be POSIX-compliant.

The "^" regex operator is not supported.

Predefined regexes are provided for the most common browsers.

When the field is empty, all User-Agent values match.

You can create a custom regex by directly editing the field.

Multiple regexes are allowed. They must be separated by a "|" ('or' operator).

When you click Apply (after Add or Set), the regex is parsed and validated. If the regex is not valid, the rule is deleted and must be recreated with a valid regex.

Following are a few examples of custom regexes.

Microsoft Internet Explorer 7, 8, or 9:

MSIE ([7-9]{1}[\.0-9]{0})

Example User-Agent string:

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Microsoft Internet Explorer Mobile, all versions:

IEMobile

Example User-Agent string:

Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0)

Apple iPhone, all versions:

(iPhone) OS (\d+)_(\d+)(?:_(\d+))?

Example User-Agent string:

Mozilla/5.0 (iPod; U; CPU iPhone OS 4_3_3 like Mac OS X; ja-jp) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5

Apple iPad, all versions:

(iPad).+ OS (\d+)_(\d+)(?:_(\d+))?

Example User-Agent string:

Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25

Search the Internet for lists of User-Agent strings, example regular expressions, regex checkers, and related resources.

Use case:

This describes a case in which an organization with a single domain wants to authenticate requests from 2 common web browsers. They also want to bypass authentication for web applications that do not support authentication.

An organization—let's call it Best Corp—uses Content Gateway. They have one domain (BCORP), and one domain controller. They use IWA to authenticate users.

Best Corp wants to ensure that:

Requests from common web browsers are authenticated. They control which web browsers are allowed on their computers.

Web applications that don't support authentication bypass authentication.

The User-Agent feature of rule-based authentication makes this possible.

To configure the solution, Best Corp:

Enables Rule-Based Authentication.

Adds the BCORP domain to the Domains list.

Creates an IWA rule that:

Optionally, specifies the supported client IP address ranges.

Specifies, by User-Agent value, the web browsers to authenticate.

In the User-Agent field, they use the Predefined drop down list to select and Add Internet Explorer and Firefox. The regex looks like:

MSIE*|Firefox*

That's it. With this configuration, all requests from Internet Explorer and Firefox, the only 2 browsers that can be installed on their computers, are subject to user authentication. All other requests, most particularly web applications, bypass authentication. To further customize the approach, Best Corp could create other authentication rules and/or add proxy filtering rules (filter.config) to deny or bypass specific applications by User-Agent value.