Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway Security > Content Gateway user authentication > Rule-Based Authentication > Rule-based authentication Domain list
Rule-based authentication Domain list
Help | Content Gateway | v8.5.x
To use rule-based authentication, you create and maintain a Domain List. There must be at least one domain on the list before an authentication rule can be defined.
When a domain is added to the list, the authentication method is specified.
When a rule is defined, the domain or domains are selected from the domain list.
Supported domain types include:
*
Active Directory (AD) domains to be used with IWA. These domains must be joined by Content Gateway, as well as by its members (users).
*
Domain Controllers (DC) to be used with Legacy NTLM
*
AD and uid domain controllers and directory servers to be used with LDAP
Domain specification configuration summary:
1.
Rule-based authentication must be enabled (Configure > My Proxy > General).
2.
On Configure > Security > Access Control > Domains, click New Domain.
3.
Select the authentication method.
4.
Specify a unique name that will help you recognize the domain and its purpose.
5.
Optionally, configure the Aliasing option.
6.
Specify the domain settings. These vary by authentication method.
See:
*
Adding an Active Directory domain for use with IWA
*
Adding an NTLM domain controller for use with Legacy NTLM
*
Adding a domain (directory service) for use with LDAP
Adding an Active Directory domain for use with IWA
Active Directory (AD) domains to be used with IWA must be joined by both Content Gateway and directory members (clients).
If you are using IWA for the first time, see Integrated Windows Authentication, for a complete description of support and use.
To join a domain:
*
Content Gateway must be able to resolve the domain name.
*
Content Gateway system time must be synchronized with the domain controller's time, plus or minus 1 minute.
*
The correct domain Administrator name and password must be specified.
*
There must be TCP/UDP connectivity to the domain controller(s) (ports 88, 389, 445).
*
If backup domain controllers are configured, they and their Kerberos Distribution Center (KDC) services, must be reachable by Content Gateway on the network.
To specify and join a domain:
1.
Go to Configure > Security > Access Control > Domains and click New Domain.
2.
Select Integrated Windows Authentication from the Authentication Method drop down box.
3.
In the Domain Identifier field, enter a unique name that will help you recognize the domain and its purpose.
4.
Optionally, configure the Aliasing option. For information, see Unknown users and the 'alias' option.
5.
In the Domain Name field, enter the fully qualified domain name. For example, ad1.example.com.
6.
In the Administrator Name field enter the Windows Administrator user name.
7.
In the Administrator Password field enter the Windows Administrator password.
The name and password are used only during the join and are not stored.
8.
Select how to locate the domain controller:
*
Auto-detect using DNS
*
DC name or IP address
If the domain controller is specified by name or IP address, you can also specify backup domain controllers in a comma separated list, no spaces.
9.
Confirm the Content Gateway Hostname.
 
* 
Warning 
Do not change the hostname after the domain is joined. If it is changed, IWA immediately stops working and will not work again until the domain is unjoined and then re-joined with the new hostname.
10.
Click Join Domain.
The Joined Domain Connections section of the Monitor > Security > Integrated Windows Authentication page displays a list of joined domains and connections, and provides a diagnostic test function.
For troubleshooting tips, see Failure to join the domain.
To change the way the domain controller is found, and other attributes
1.
On the Domains page, in the list select the domain you want to change and click Edit.
2.
In the IWA Domain Details section, select how to locate the domain controller:
*
Auto-detect using DNS
*
DC name or IP address
If the domain controller is specified by name or IP address, you can also specify backup domain controllers in a comma separated list, no spaces.
3.
You can also change the Aliasing setting. See Unknown users and the 'alias' option.
4.
Click Apply.
Adding an NTLM domain controller for use with Legacy NTLM
Support for Legacy NTLM has these restrictions:
*
WINS resolution is not supported. Domain controllers must have hostnames that can be resolved by a DNS server.
*
Extended security is not supported and cannot be enabled on the domain controller.
*
NTLM2 session security is not supported and cannot be enabled on clients. In the Security Settings area of the Windows operating system, inspect the Network Security: Minimum session security settings.
*
NTLMv2 is not supported with Active Directory 2008.
*
Not all browsers support transparent NTLM authentication. See Browser limitations.
For a complete description of support for Legacy NTLM, see Legacy NTLM authentication.
To add an NTLM domain for use in rule-based authentication:
1.
Go to Configure > Security > Access Control > Domains and click New Domain.
2.
Select Legacy NTLM from the Authentication Method drop down box.
3.
In the Domain Identifier field, enter a unique name that will help you recognize the domain and its purpose. After the domain is added, the name cannot be changed.
4.
Optionally, configure the Aliasing option. For information see: Unknown users and the 'alias' option.
5.
In the Legacy NTLM Domain Details section:
a.
In the Domain Controller entry field enter the IP address and port number of the primary domain controller. If no port is specified, Content Gateway uses port 139.
You can also specify secondary domain controllers in a comma-separated list. The supported formats are:
host_name[:port][%netbios_name]
IP_address[:port][%netbios_name]
The netbios_name is required with Active Directory 2008.
b.
Specify whether load balancing should be applied among multiple DCs.
 
* 
Note 
Even if load balancing is not selected, if multiple domain controllers are specified and the load on the primary domain controller reaches the maximum number of connections allowed, new requests are sent to a secondary domain controller as a short-term fail over provision, until such time that the primary domain controller can accept new connections.
6.
Click Add Domain.
Adding a domain (directory service) for use with LDAP
When LDAP is used:
*
Content Gateway acts as an LDAP client and directly challenges users who request content for a username and password.
*
After receiving the username and password, Content Gateway contacts the LDAP server to check that the credentials are correct.
*
If the LDAP server accepts the username and password, the proxy serves the client the requested content and stores the username and password in the credential cache.
*
Future authentication requests for that user are served from the cache until the cache entry expires (Time-To-Live value).
*
If the LDAP server rejects the username and password, the user's browser displays a message indicating that authorization failed and prompts again for a username and password.
LDAP authentication supports both simple and anonymous bind.
To add an LDAP domain to the Domains list:
1.
Go to Configure > Security > Access Control > Domains and click New Domain.
2.
Select LDAP from the Authentication Method drop down list.
3.
In the Domain Identifier field, enter a unique name that will help you recognize the domain and its purpose. After the domain is added, the name cannot be changed.
4.
Optionally, configure the Aliasing option. For information see: Unknown users and the 'alias' option.
5.
In the LDAP Domain Details section:
a.
In the LDAP Server Name field, enter the fully qualified domain name or IP address of the LDAP server.
b.
If the LDAP server port is other than the default (389), in the LDAP Server Port field, enter the LDAP server port.
c.
Enter the LDAP Base Distinguished Name. Obtain this value from your LDAP administrator.
d.
Select the LDAP Server Type from the drop down list.
*
Select sAMAccountName (MS AD) for Active Directory.
*
Select userPrincipalName (MS AD) for Active Directory.
*
Select uid (Other LDAP) for other directory services.
e.
In the Bind Domain Name field, enter the bind distinguished name. This must be a Full Distinguished Name of a user in the LDAP directory service. For example:
CN=John Smith,CN=USERS,DC=MYCOMPANY,DC=COM
f.
In the Bind Password field, enter the password for the name given in the Bind Domain Name field.
g.
Enable Secure LDAP if you want Content Gateway to use secure communication with the LDAP server. If enabled, set the LDAP port to 636 or 3269.
6.
Click Add Domain.
To unjoin or remove a domain from the Domain List
On the Domains page, select the domain from the list and click Unjoin or Delete.
A confirmation dialogue displays. Confirm that you want to remove the domain from the list.
 
* 
Warning 
When a domain is removed, it is also removed from any authentication rules that specify it.
If it is the only domain specified in a rule, when the domain is removed the rule is made invalid and, therefore, the rule is removed.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway Security > Content Gateway user authentication > Rule-Based Authentication > Rule-based authentication Domain list
Copyright 2023 Forcepoint. All rights reserved.