Content Gateway Security > Content Gateway user authentication > Rule-Based Authentication
|
|
Multiple realm networks: Rule-based authentication supports multiple realm networks in which domains do not share trust relationships and therefore require that each domain's members be authenticated by a domain controller within their domain. In this environment rules are created that specify:
|
|
Authentication when domain membership is unknown: Some organizations do not always know what domain a user belongs to. For example, this can happen when organizations acquire new businesses and directory services are not mapped or consolidated. The unknown domain membership problem can be handled in rule-based authentication by creating a rule for IP address lists or ranges that specifies an ordered list of domains to attempt to authenticate against. The first successful authentication is remembered and used in later authentications. If authentication is not successful or the browser times out, no authentication is performed.
|
|
Authentication based on User-Agent value: One or more User-Agent value can be specified in an authentication rule. Often this is a list of browsers. When the User-Agent value matches a rule, authentication is performed against the specified domain(s). If the User-Agent value doesn't match any rule and no rule matches based on other values, no authentication is performed (this is always true in rule-based authentication; if no rule matches, no authentication is performed).
|
Credential caching configuration is performed on the Configure > Security > Access Control > Global Configuration Options tab. On that page you specify IP address caching, cookie caching, or both. The setting applies to both transparent proxy and explicit proxy traffic. When both IP address caching and cookie caching are specified, the IP addresses that cookie caching is applied to must be specified.
See Credential Caching for more information.
|
|
One or more rules are defined for clients and domains (Configure > Security > Access Control > Authentication Rules).
|
|
If authentication fails with all domains and the Fail Open (Configuration > Security > Access Control > Global Authentication Options) setting is:
|
|
Proxy authentication statistics are collected and reported individually for each authentication method. See Security (in the Statistics section).
|
1.
|
If Content Gateway is an explicit proxy and you want to bring traffic in on multiple ports, specify the ports on the Configure > Protocol > HTTP tab.
|
2.
|
Configure Global authentication options (Configure > Security > Access Control > Global Authentication Options).
|
3.
|
Create a domain list (Configure > Security > Access Control > Domains).
|
In rule-based authentication, Content Gateway may authenticate users that are outside the User Service primary domain. In these cases, Content Gateway can be configured to send an "alias" user name that User Service knows about. Or, you can send no name, in which case standard Filtering Service precedence is applied to determine the correct policy. (See Enforcement order in Administrator Help for the Web module.) This specification is made for each domain in the Domain list.
|
4.
|
Create authentication rules (Configure > Security > Access Control > Authentication Rules).
|
|
If client certificate authentication is enabled with Use the next selected authentication method if Client Certificate authentication fails option selected, the domain list cannot be empty.
|
Content Gateway Security > Content Gateway user authentication > Rule-Based Authentication
|