Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway Security > Content Gateway user authentication
Content Gateway user authentication
Help | Content Gateway | v8.5.x
Related topics:
Content Gateway supports several methods of authenticating users before their requests are allowed to proceed. These methods can be used together with Forcepoint Web Security user identification features to provide fallback should user authentication fail or become unavailable.
 
Important 
In both explicit and transparent proxy modes, Content Gateway supports user authentication with:
*
Integrated Windows Authentication (Kerberos with SPNEGO to NTLM)
*
*
*
Content Gateway also supports combinations of Integrated Windows Authentication (IWA), Legacy NTLM, and LDAP using:
*
Rule-Based Authentication summary
Rule-Based Authentication is an ordered list of authentication rules. When a request is processed, the list is traversed top to bottom and the first match is applied.
Rules specify:
1.
By:
*
*
*
*
2.
3.
Multiple Realm Networks: Rule-Based Authentication supports multiple realm network structures in which Windows Active Directory domains do not have mutual trust relationships and therefore require that each domain's members be authenticated by a domain controller within their domain. In this environment rules are created that specify:
1.
2.
Authenticating when domain membership is unknown: Some organizations do not always know what domain a user belongs to. For example, this can happen when organizations are rapidly acquiring new businesses. The unknown domain membership problem can be handled in rule-based authentication by creating a rule (or rules) for IP address lists or ranges that also specifies an ordered list of domains to attempt to authenticate against. The first successful authentication is remembered and used in later authentications.
Authentication based on User-Agent value: One or more User-Agent values can be specified in an authentication rule. Often this is a list of browsers. When the User-Agent value matches a rule, authentication is performed against the specified domain(s). If the User-Agent value doesn't match any rule, and no rule matches based on other values, no authentication is performed (this is always true; if no rule matches, no authentication is performed).
Selecting the authentication method
The authentication method is selected in the Authentication section of the Configure > My Proxy > Basic page. Configuring authentication for rule-based authentication begins with selecting Rule-Based Authentication.
Supported domain controllers and directories
*
*
*
*
Best practices when using Windows Active Directory
If you have only one Active Directory domain, or if all of your Active Directory domains share inbound and outbound trust relationships, the best option is to deploy Integrated Windows Authentication. However, if you want to control authentication based on User-Agent values, you must use Rule-Based Authentication.
If you have multiple domains or realms and user authentication is a requirement, you must use Rule-Based Authentication. For details, see Rule-Based Authentication.
If user identification is sufficient, you can use one of the Forcepoint Web Security user identification options. See the "User Identification" section of the Forcepoint Web Security Administrator Help.
Backup domain controllers
For Integrated Windows Authentication and Legacy NTLM, Content Gateway supports the specification of backup domain controllers for failover. If the primary domain controller (DC) does not respond to proxy requests, Content Gateway contacts the next DC in the list (the backup domain controller). For the next request, the proxy tries to contact the primary DC again and then contacts the backup DC if the connection fails.
Transparent user authentication
Content Gateway supports both transparent (Single Sign-On) and interactive (prompted) authentication. Transparent authentication is supported with Integrated Windows Authentication and Legacy NTLM. Some browsers provide only limited support. See Browser limitations.
On Windows networks, Single Sign-On allows users to sign on only once so that they can transparently access all authorized network resources. Therefore, if a user has already logged on to the Windows network successfully, the credentials specified during Windows logon are used for proxy authentication and the user is not prompted again for a username and password.
Interactive authentication is supported in networks that are not configured for Single Sign-On and for use with browsers that don't support Single Sign-On. With interactive authentication, users are prompted for credentials before they can access content through Content Gateway.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway Security > Content Gateway user authentication
Copyright 2020 Forcepoint. All rights reserved.