![]() |
![]() |
![]() |
![]() |
![]() |
Configuration Options > Security > Access Control
|
![]() |
Global Authentication Options (settings apply when IWA negotiates NTLM of falls back to NTLM)
|
Note: After adding, deleting, or modifying a rule, restart Content Gateway.
Note: NTLM and LDAP authentication rules are defined on the Authentication Realms tab and stored in the auth.config file (see its entry later in this table).
|
|||||||
Updates the table to display the most up-to-date rules in the filter.config file.
|
|||||||
Opens the configuration file editor for the filter.config file.
|
|||||||
Lists the rules currently stored in filter.config. Select a rule to edit it. The buttons on the left of the box allow you to delete or move the selected rule up or down in the list.
|
|||||||
Select allow to allow particular URL requests to bypass authentication; the proxy caches and serves the requested content.
Select deny to deny requests for objects from specific destinations. When a request is denied, the client receives an access denied message.
Select keep_hdr to specify which client request header information you want to keep.
Select strip_hdr to specify which client request header information you want to strip.
Select add_hdr to cause a custom header to be added to the request. This rule type requires that values be defined for Custom Header and Header Value. Add custom headers to satisfy a specific requirement of a destination domain. See Filtering Rules.
Note: The radius rule type is not supported.
|
|||||||
dest_domain is a requested domain name.
dest_host is a requested hostname.
dest_ip is a requested IP address.
url_regex is a regular expression to be found in a URL.
|
|||||||
Specifies the value of the primary destination type. For example, if the primary destination type is dest_ip, the value for this field might be 123.456.78.9.
|
|||||||
For use when the rule type is add_hdr. Specifies the custom header name that the destination domain expects to find in the request.
|
|||||||
For use when the rule type is add_hdr. Specifies the custom header value that the destination domain expects to be paired with the custom header.
|
|||||||
|
|||||||
The Integrated Windows Authentication page appears only if you have enabled IWA in the Features table on the Configure > My Proxy > Basic > General tab.
|
|||||||
Note: The name and password are used only during the join and are not stored.
|
|||||||
IMPORTANT: Once the domain is joined the hostname cannot be changed. If it is, IWA will immediately stop working until the domain is unjoined and then rejoined with the new hostname.
|
|||||||
Disabled –Prevents requests from proceeding to the Internet when an authentication failure occurs.
Enabled only for critical service failures (default) – Allows requests to proceed if authentication fails because there is no response from the domain controller or because the client is sending badly formatted messages.
Enabled for all authentication failures, including incorrect password – Allows requests to proceed for all authentication failures, including password failures.
|
|||||||
Note: Redirect Hostname is not needed and does not apply to Integrated Windows Authentication (IWA).
|
|||||||
|
|||||||
The LDAP configuration options appear on the Configure pane only if you have enabled LDAP in the Features table on the Configure > My Proxy > Basic > General tab.
|
|||||||
Specifies a password for the user identified in the Bind_DN field.
|
|||||||
The Radius configuration options appear on the Configure pane only if you have enabled Radius in the Features table on the Configure > My Proxy > Basic > General tab.
|
|||||||
The NTLM configuration options appear on the Configure pane only if you have enabled NTLM in the Features table on the Configure > My Proxy > Basic > General tab.
|
|||||||
If you are using Active Directory 2008, you must include the netbios_name or use SMB port 445.
|
|||||||
Note: When multiple domain controllers are specified, even if load balancing is disabled, when the load on the primary domain controller reaches the maximum number of connections allowed, new requests are sent to a secondary domain controller as a short-term failover provision, until such time that the primary domain controller can accept new connections.
|
|||||||
Disabled –Prevents requests from proceeding to the Internet when an authentication failure occurs.
Enabled only for critical service failures (default) – Allows requests to proceed if authentication fails because there is no response from the domain controller or because the client is sending badly formatted messages.
Enabled for all authentication failures, including incorrect password – Allows requests to proceed for all authentication failures, including password failures.
|
|||||||
The Domains page appears on the Access Control list only if you have enabled Multiple Realm Authentication in the Features table on the Configure > My Proxy > Basic > General tab.
|
|||||||
Note: The name and password are used only during the join and are not stored.
|
|||||||
IMPORTANT: Once the domain is joined the hostname cannot be changed. If it is, IWA will immediately stop working until the domain is unjoined and then rejoined with the new hostname.
|
|||||||
When Auto-detect using DNS is selected and the domain is joined, this field displays the name of nearest Active Directory site nearest the proxy.
|
|||||||
Updates the table to display the current rules in the auth.config file.
|
|||||||
Opens the configuration file editor for the auth.config file.
|
|||||||
Lists the rules in auth.config. Select a rule to edit it. The buttons on the left of the box allow you to delete or move the selected rule up or down in the list.
|
|||||||
Select Integrated Windows Authentication for rules that will apply Kerberos.
Select Legacy NTLM to specify rules that will apply the NTLMSSP method.
Select LDAP to specify rules that will use LDAP.
|
|||||||
Cookie mode caching is used to uniquely identify users who share a single IP address; for example, in environments where proxy-chaining is used or where network address translation (NAT) occurs. For complete details, see the instructions for creating each authentication realm rule type (Multiple realm authentication).
Note: The following special requirements and limitations apply:
When this option is disabled, the global setting is applied. For transparent proxy deployments the global option is set on Configure > Security > Access Control > Transparent Proxy Authentication. For explicit proxy deployments the global option is set on Configure > Security > Access Control > Global Authentication Options.
|
|||||||
Note: When multiple domain controllers are specified, even if load balancing is disabled, when the load on the primary domain controller reaches the maximum number of connections allowed, new requests are sent to a secondary domain controller as a short-term failover provision, until such time that the primary domain controller can accept new connections.
|
|||||||
This option applies to ldap rule types only.
|
|||||||
This option applies to ldap rule types only.
|
|||||||
Provide us feedback on your experience with the Service Request portal.
provide feedback >
![]() |
![]() |
![]() |
![]() |
![]() |
Configuration Options > Security > Access Control
|