Configuring user identification and authentication

Administrator Help | Forcepoint Web Security and Forcepoint URL Filtering | v8.5.x

Related topics:

Identifying on-premises users transparently

Manual authentication

Working with users and groups

Use the Settings > General > User Identification page to manage when and how on-premises web protection software attempts to identify users in the network in order to apply user- and group-based policies.

Configure Policy Server to communicate with transparent identification agents.

Review and update transparent identification agent settings.

Set a global rule to determine how web protection software responds when users cannot be identified by Content Gateway, a transparent identification agent, or an integration product.

Identify machines in your network to which global user identification rules do not apply, and specify whether and how users of those machines should be authenticated.

If you are using transparent identification agents, the agents are listed under Transparent Identification Agents:

Server shows the IP address or name of the machine hosting the transparent identification agent.

Port lists the port that web protection software uses to communicate with the agent.

Type indicates whether the specified instance is a DC Agent, Logon Agent, RADIUS Agent, or eDirectory Agent. (See Identifying on-premises users transparently for an introduction to each type of agent.)

To add an agent to the list, select the agent type from Add Agent drop-down list. Click one of the following links for configuration instructions:

Configuring DC Agent

Configuring Logon Agent

Configuring RADIUS Agent

Configuring eDirectory Agent

To remove an agent instance from the list, mark the checkbox next to the agent information in the list, and then click Delete.

If you have one or more DC Agent instances, under DC Agent Domains and Controllers, click View Domain List for information about which domain controllers the agents are currently polling. See Reviewing DC Agent polled domains and domain controllers for more information.

Under User Identification Exceptions, list the IP addresses of machines that should use different user identification settings than the rest of your network.

For example, if you use Content Gateway, a transparent identification agent, or a third-party integration product to identify users, and have enabled manual authentication to prompt users for their credentials when they cannot be identified transparently, you can identify specific machines on which:

Users who cannot be identified are never be prompted for their credentials. In other words, when transparent identification fails, manual authentication is not attempted, and the computer or network policy, or the Default policy, is applied.

User information is always ignored, even when it is available, and users are always prompted for their credentials.

User information is always ignored, even when it is available, and users are never prompted for their credentials (the computer or network policy, or the Default policy, is always applied).

To create an exception, click Add, and then see Setting authentication rules for specific machines. To remove an exception, mark the check box next to an IP address or range, then click Delete.

Under Additional Authentication Options, specify the default response of web protection software when users are not identified transparently:

Click Apply computer or network policy to ignore user and group-based policies in favor of computer and network-based policies, or the Default policy.

Click Prompt user for logon information to require users to provide logon credentials when they open a browser. User and group-based policies can then be applied (see Manual authentication).

Specify the Default domain context that web protection software should use any time a user is prompted for log on credentials. This is the domain in which users' credentials are valid.

If you use the Exceptions list to specify any machines on which users are prompted for logon information, this default domain context is used, even if the global rule is to apply a computer or network-based policy.

When you are finished making changes on this page, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.