Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Web Policies > Access Control tab
Access Control tab
 
Related topics:
Use the Access Control tab to configure how your end users are identified by the cloud service. You can configure multiple authentication or identification options for your users if required.
The cloud service works "out of the box" for many organizations. A single policy applied to an organization's web traffic provides protection from malware and inappropriate content. However, most customers want to tailor the service to align it with their Internet acceptable use policy, which may require granular configuration on a per-user and per-group basis, with different users or groups assigned to specific policies. Often, organizations want to report on the surfing habits of their employees. These use cases require the service to identify specific users in order to apply the correct policy, and to log user actions for reporting purposes.
There are a number of events that can lead to an end user being asked to authenticate:
*
*
The user is accessing a website within a category that has an action of Require user authentication. You configure this within the category itself.
*
*
When a request is made from an unknown IP address, users are served a notification page asking them to authenticate. Because the cloud service does not know who the users are at this time, the notification page is a generic service-wide page. See Roaming home page for further information.
 
Note 
To configure user authentication:
1.
Under Authentication Settings, define when to authenticate.
*
Select Always authenticate users on first access to force all users of this policy (whose source IP address or appliance is configured on the Connections tab) to identify or authenticate themselves to proceed. If they do not, they are unable to use the cloud service.
*
Select Only authenticate when if you want to use authentication only if either of the following is true:
*
In this case, if web endpoint software or single sign-on is not available, the user receives the service-wide Welcome page. Users must log on to allow the correct policy to be applied.
*
2.
If you do not select any authentication methods, when users try to access a website, they are presented with a basic authentication dialog into which they must enter their cloud logon credentials to proceed.
The cloud service provides the following options for identifying end users transparently:
*
Select Endpoint to use web endpoint software, which is installed on client machines to provide transparent authentication, enforce use of web policies, and pass authentication details to the cloud-based service. See Configure Endpoint settings.
*
Select Single sign-on to use clientless transparent authentication via a supported identity provider. See Configure End User Single Sign-On settings.
If you do not deploy web endpoint software or use single sign-on, the cloud service can use one of the following methods to identify users transparently or manually when they connect to the Internet.
*
Select NTLM transparent identification to identify users in this policy with their NTLM credentials. Then, select the NTLM registration page or use the default setting. See NTLM identification and NTLM registration page.
NTLM transparent identification is also used as a fallback if either the web endpoint or single sign-on fails.
 
Note 
*
Select Secure form-based authentication to display a logon form to the end user. When the user enters their cloud credentials, they are sent over a secure connection for authentication.
If the users have not previously registered to use the service, they can do so by clicking Register. This takes them into the registration process. See End Users tab for further details.
Note that manual authentication is always used if none of the above methods is available.
3.
Select Welcome page to show a configurable welcome page to end users prior to the basic authentication dialog box, if their browser supports it. See Pre-logon welcome page.
4.
If you have selected single sign-on or secure form authentication, set a Session timeout period to specify the time interval after which a user's login and password are revalidated. See Session timeout.
5.
Click Save.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Web Policies > Access Control tab
Copyright 2024 Forcepoint. All rights reserved.