Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway Configuration Files > auth_rules.config
auth_rules.config
Help | Content Gateway | v8.5.x
The auth_rules.config file stores rules that direct specified IP addresses and IP address ranges, and/or traffic on specified inbound ports (explicit proxy only), and/or matching Request header User-Agent values to authenticate with distinct domain controllers. One or more domain controllers can be specified in an ordered list. This feature is called Rule-Based Authentication.
Rule-based authentication rules must be defined in the Content Gateway manager on the Configure > Security > Access Control > Authentication Rules tab. Do not edit this configuration file.
*
Rule-based authentication is supported for Integrated Windows Authentication (IWA), legacy NTLM, and LDAP authentication only.
*
Each authentication rule can specify source IP addresses, inbound port (explicit proxy only), and/or a User-Agent regex
*
Each authentication rule can specify one or more domains in an ordered list. Domains are identified on the Configure > Security > Access Control > Authentication Rules tab. That process includes specifying the authentication method (IWA, Legacy NTLM, LDAP).
*
When a rule matches, authentication is performed against one or more domains in the ordered list. The first successful authentication ends domain list traversal and the authenticating domain is cached for later use.
*
Authentication rules are applied from the list top-down; only the first match is applied. If no rule matches, no user authentication is performed.
 
* 
Note 
If all the users in your network can be authenticated by domain controllers that share trust relationships, you probably don't need rule-based authentication.
However, rule-based authentication can be useful in any deployment that needs to perform special authentication handling based on IP address, inbound proxy port (explicit proxy), and/or User-Agent values.
Format
Each line in auth_rules.config contains an authentication rule that consists of a set of tags, each followed by its value. Authentication rules have the format:
rule_name=<name> src_ip=<IP addresses> user_agent=<regex> <additional tags>
The following table lists all of the tags.
Tags
Allowed value
rule_name
A short, unique name.
enabled
Specifies whether the rule will be active:
*
0 = disabled
*
1 = enabled
src_ip
Takes a comma separated list of IP addresses and IP address ranges. No spaces. If this field is empty, all IP addresses match. The list can contain up to:
*
64 IPv4 addresses
*
32 IPv4 address ranges
*
24 IPv6 addresses
*
12 IPv6 address ranges
user_agent (optional)
Takes a regular expression that is applied to the user-agent string. See Specifying URL regular expressions (url_regex) for information about using regular expressions.
proxy_port (optional)
Takes a port number. Valid with explicit proxy only. Client applications must be configured to send requests to the correct port.
domain_list
An ordered, comma separated list of domains the Content Gateway will attempt to authenticate a matching user with.
use_captive_portal
Specifies whether Captive Portal is used.
*
0 = disabled
*
1 = enabled using HTTP
*
2 = enabled using HTTPS
use_clientcert_auth
Specifies whether Client Certificate Authentication is used.
*
0 = disabled
*
1 = enabled
clientcert_profile
Takes a text string. The name of the Client Certificate Authentication profile to be used with the authentication rule.
clientcert_fallback
Specifies whether the next selected authentication method should be used if Client Certificate Authentication fails.
*
0 = disabled
*
1 = enabled

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway Configuration Files > auth_rules.config
Copyright 2023 Forcepoint. All rights reserved.