Go to the table of contents Go to the previous page Go to the next page View or print as PDF
User Identification for Policy Enforcement > Identification and authentication of hybrid users
Identification and authentication of hybrid users
Administrator Help | Forcepoint Web Security | v8.5.x
Related topics:
Select Settings > Hybrid Configuration > Hybrid User Identification to configure how users are identified by the hybrid service, and to test and configure users' connections to the service. You can configure multiple authentication or identification options for your hybrid users if required.
To ensure that the appropriate per-user or per-group policy is applied to hybrid users, whether from a filtered location or when off-site, you have the following options for identifying or authenticating the users transparently:
*
Forcepoint Web Security Endpoint is installed on client machines to provide transparent authentication, enforce use of the hybrid service, and pass authentication details to the hybrid service. See Forcepoint Web Security Endpoint software.
*
Single sign-on provides clientless transparent authentication via a gateway hosted on your network. See Integrating the hybrid service with a single sign-on identity provider.
*
Users at filtered locations (see Filtered locations) can be identified transparently via NTLM. This option is not available for off site users.
*
If you do not enable any form of transparent identification or authentication:
*
*
Indicate how the hybrid service should identify users requesting Internet access. These options are also used as a fallback if either the endpoint client software or single sign-on fails.
*
Mark Always authenticate users on first access to enable transparent NTLM identification, secure form authentication, or manual authentication when users first connect to the hybrid service.
If you do not select this option and you have not enabled any other authentication methods for users in filtered locations, those users receive an IP address-based policy, and their identity does not appear in reports
Internet Explorer and Firefox can be used for transparent user identification. Other browsers will prompt users for logon information.
If Directory Agent is sending data to the hybrid service, using NTLM to identify users is recommended.
*
Mark Use NTLM to identify users when possible to use directory information gathered by Directory Agent to identify users transparently, if possible.
When this option is selected, the hybrid service uses NTLM to identify the user if the client supports it, and otherwise provides a logon prompt.
 
Important 
When NTLM is used to identify users, do not use self-registration (configured on the User Access page under Registered Domains).
*
Mark Use secured form authentication to identify users to display a secure logon form to the end user. When the user enters their email address and hybrid service password, the credentials are sent over a secure connection for authentication.
 
Note 
If you select this option, define how often users' credentials are revalidated for security reasons under Session Timeout. The default options are 1, 7, 14, or 30 days. The same session timeout applies to single sign-on, if enabled.
 
Note 
If the users have not previously registered to use the service, they can do so by clicking Register on the logon form. To use this option, enable self-registration (configured on the User Access page under Registered Domains). Advise end users not to use the same password for hybrid service access that they use to log on to the network.
If you do not select either the NTLM or the secured form authentication option, but Always authenticate users on first access is selected, users who could not be identified via another means see a logon prompt every time they access the Internet. Basic authentication is used to identify users who receive a logon prompt.
*
*
*
When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.
Once you have set up the hybrid service and configured user browsers to access the PAC file, you can use the links provided under Verify End User Configuration to make sure that end user machines have Internet access and are correctly configured to connect to the hybrid service.
If your hybrid service account has not been verified (which may mean that no email address has been entered on the Settings > General > Account page), the URLs are not displayed.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
User Identification for Policy Enforcement > Identification and authentication of hybrid users
Copyright 2020 Forcepoint. All rights reserved.