Important  The Fail Open setting does not apply when IWA is the authentication method and the client fails to retrieve a kerberos ticket from the domain controller (DC) because the DC is down. The Fail Open setting does apply with IWA when IWA falls back to NTLM. The Fail Open setting does not apply when using LDAP in explicit proxy mode.

Important  When user authentication is rule-based with a domain list: If Enabled only for critical service failures is selected, when a critical service failure occurs fail open is not applied. An error always results in fail closed. If Enabled for all authentication failures, including incorrect password is selected, after trying basic credentials with every domain in the list, fail open is applied.

Note  This feature should be used for clients for whom IP or cookie cache is not available, such as NATed IP addresses or IP addresses used for clients behind a terminal server. Since all requests from the clients listed are authenticated, performance may be impacted.

Important  Cookie mode caching: Cookie mode caching does not work with applications that do not support cookies, or with browsers in which cookie support has been disabled. When the browser is Internet Explorer, the full proxy hostname in the form "http://host.domain.com" must be added to the Local intranet zone. When the browser is Chrome, it must be configured to allow third-party cookies or configured for an exception to allow cookies from the proxy hostname in the form "host.domain.com". When the IP address is set for cookie mode and the request method is CONNECT, no caching is performed. Cookie mode caching is not performed for FTP requests. Cookie mode caching is supported by Captive Portal and client certificate authentication. For explicit proxy, cookie-based authentication is not supported for HTTPS. IP-address authentication is used.

Note  The user interface setting to disable the NTLM cache for explicit proxy has been removed. Although not recommended, the cache can be disabled for explicit proxy traffic in records.config by setting the value of proxy.config.ntlm.cache.enabled to 0 (zero).

Note  To ensure that user authentication for transparent proxy occurs transparently (without prompting the user for credentials), the browser must be configured so that the Redirect Hostname is in its Intranet Zone. Typically, this is achieved by ensuring that the Redirect Hostname is in the same domain as the computer on which the browser is running. For example, if the client is workstation.example.com and the Redirect Hostname is proxyhostname.example.com, the browser allows authentication to occur transparently. Consult your browser documentation.

Note  Content Gateway supports transparent authentication in proxy clusters that use WCCP load distribution. However, the assignment method distribution attribute must be the source IP address. For more information see WCCP load distribution.

Note  To ensure that user authentication for transparent proxy occurs transparently (without prompting the user for credentials), the browser must be configured so that the Redirect Hostname is in its Intranet Zone. Typically, this is achieved by ensuring that the Redirect Hostname is in the same domain as the computer on which the browser is running. For example, if the client is workstation.example.com and the Redirect Hostname is proxyhostname.example.com, the browser allows authentication to occur transparently. Consult your browser documentation.

Note  Content Gateway supports transparent authentication in proxy clusters that use WCCP load distribution. However, the assignment method distribution attribute must be the source IP address. For more information see WCCP load distribution.

Note  All proxies in the cluster must use the same caching method when cookie sharing is enabled.

Important  When custom keys are imported, the default files provided by Forcepoint are overwritten. You should backup the default keys prior to importing. See Save Public Key and Save Private Key below.

Important  Cookie sharing has the following limitations: Cookie caching limitations also apply to cookie sharing. Therefore, since cookie caching is not supported for CONNECT requests, cookie sharing is not supported. Custom keys must be imported manually. Custom Keys are not synchronized across the cluster. Cookie sharing is not supported with client certificate authentication.