Editing custom authentication rules for the hybrid service

Administrator Help | Forcepoint Web Security | v8.5.x

Use the Custom Authentication > Edit Custom Authentication Rule page to edit user agents, domains, or URLs that are failing to authenticate with the hybrid service.

If you make changes to the rule Name, ensure it is between 1 and 50 characters long, and does not include any of the following characters:

* < > { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

Names can include spaces, dashes, and apostrophes.

Define or update the User agents, if any, for the rule:

To match against all user agent strings, select All user agents. You might want to do this if you are setting up a custom rule that applies to all browsers on all operating systems in your organization.

If the application does not send a user agent string to the Internet, select No user agent header sent.

This option will match against all applications that do not send a user agent. In this case, we recommend you refine the rule by entering one or more URLs or domains in the Destinations field.

To apply the custom authentication to one or more user agents, select Custom user agents. Enter each user agent on a separate line. Use the asterisk wildcard to match one line to multiple user agent strings, for example Mozilla/5.0*.

Define or update the URLs or domains (if any) for the rule in the Destinations field:

To match against all URLs and domains, select All destinations. You might want to do this if you are setting up a custom rule that applies to a specific user agent that accesses multiple sites.

To apply the custom authentication to one or more specific domains or URLs, select Custom destinations. Enter each URL or domain on a separate line.

URLs must include the protocol portion (http://) at the beginning and a forward slash (/) at the end (for example, http://www.google.com/). If these elements are not present, the string is treated as a domain. Domains cannot include a forward slash at the end (for example, mydomain.com).

Use the asterisk wildcard to match one line to multiple destinations: for example, entering *.mydomain.com would match against all domains ending in 'mydomain.com.'

Verify or update the Authentication Method for the custom rule.

Default: Uses your default authentication method.

NTLM: Uses NTLM identification for the specified user agents and destinations. If an application is not NTLM-capable, basic authentication is used instead.


	Note You must have NTLM identification enabled for your account to use this option.

Form Authentication: Uses secure form authentication to display a secure logon form to the end user. For more information, see Identification and authentication of hybrid users.

Basic Authentication: Uses the basic authentication mechanism supported by many Web browsers. No welcome page is displayed. For more information about basic authentication, see Identification and authentication of hybrid users.

Welcome Page: Displays a welcome page to users before they use basic authentication to proceed.

None: Bypasses all authentication and identification methods in the hybrid service. Select this option for Internet applications that are incapable of authentication.

Optionally, select Bypass content scanning to bypass all filtering for the specified user agents and destinations.


	Important Select this option only for applications and sites that for some reason do not work well with the hybrid service, and that you trust implicitly. Selecting this option could allow viruses and other malware into your network.

Click OK to return to the Custom Authentication page, and then click OK again to cache your changes. Changes are not implemented until you click Save and Deploy.