Support

Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Configuration Files > auth.config
auth.config
Help | Content Gateway | Version 7.7.3
The auth.config file stores rules that direct specified IP addresses and IP address ranges, and/or traffic on specified inbound ports (explicit proxy only), and/or matching Request header User-Agent values to distinct domain controllers. This feature is called Multiple realm authentication. Authentication realm rules are defined on the Configure > Security > Access Control > Authentication Realms tab.
*
Multiple realm authentication is supported for Integrated Windows Authentication (IWA), legacy NTLM, and LDAP authentication only.
*
Each authentication rule can specify source IP addresses, inbound port (explicit proxy only), User-Agent regex, the authentication method, the domain, and other options.
*
Multiple rules can be active at the same time. In this way, multiple authentication methods can be used at the same time. And multiple rules can be active for the same authentication method, even within the same domain.
*
The specifiers used in IWA, LDAP, and NTLM rules vary.
*
Rules are applied from the list top-down; only the first match is applied. If no rule matches, no user authentication is performed.
 
* 
Note 
If all the users in your network can be authenticated by domain controllers that share trust relationships, you probably don't need rules for multiple authentication realms.
However, the option is also supported in single domain deployments that want to create multiple authentication rules based on IP addresses, inbound proxy port (explicit proxy), and/or User-Agent values.
Format
Each line in auth.config contains an authentication rule that consists of a set of tags, each followed by its value. Authentication rules have the format:
type=<auth_type> name=<profile_name> src_ip=<IP addresses> <additional tags>
The following table lists the tags that are common to all rules.
Universal Tags
Allowed Value
type
Takes a string denoting the rule type: winauth, ntlm, ldap
enabled
Specifies whether the rule will be active:
*
0 = disabled
*
1 = enabled
name
Is a simple, unique name used in logging.
src_ip
Takes a comma separated list of IP addresses and IP address ranges.
user_agent
Takes a regular expression that is applied to the user-agent string.
proxy_port (optional)
Takes a port number.
cookie_mode
Specifies whether cookie mode caching is used. IP address caching is the default (set on the Global Authentication Options tab).
use_alias
Specifies the user name sent to filtering service if authentication is successful.
*
0 = send actual authenticated user name (default).
*
1 = send a blank username
*
2 = send the string specified in auth_name_string
auth_name_string
Only active if use_alias=2. Specifies the static string to be sent as the user name for all successful authentications using this rule.
The following table lists the additional tags used in Integrated Windows Authentication rules.
IWA Tags
Allowed Value
winauth_realm
Specifies the joined Windows domain to use with the rule. Content Gateway must be joined and active in that domain.
The following table lists the additional tags used in an NTLM rule.
 
Universal Tags
Allowed Value
dc_list
Takes the IP address and port number of the primary domain controller (if no port is specified, Content Gateway uses port 139), followed by a comma separated list of secondary domain controllers to be used for load balancing and failover.
dc_load_balance (optional)
Specifies whether load balancing is used:
*
0 = disabled
*
1 = enabled
Note: When multiple domain controllers are specified, even if load balancing is disabled, when the load on the primary domain controller reaches the maximum number of connections allowed, new requests are sent to a secondary domain controller as a short-term failover provision, until such time that the primary domain controller can accept new connections.
The following table lists the additional tags used in an LDAP rule.
 
LDAP Tag
Allowed Value
server_name
Specifies the fully qualified domain name of the LDAP server.
server_port (optional)
Specifies the LDAP server port. The default is 389.
If Secure LDAP is enabled, set the port to 636 or 3269 (the secure LDAP ports).
base_dn (optional)
Specifies the LDAP base distinguished name.
uid_filter (optional)
Specifies the type of service, if different from that configured on the LDAP tab. Enter sAMAccountName for Active Directory, or uid for any other service.
bind_dn (optional)
Specifies the bind distinguished name. This must be a Full Distinguished Name of a user in the LDAP directory service. For example:
CN=John Smith,CN=USERS,DC=MYCOMPANY,
DC=COM
bind_pwd (optional)
Specifies the password for the bind distinguished name.
sec_bind
Specifies whether Content Gateway will use secure communication with the LDAP server.
*
0 = disabled
*
1 = enabled
If enabled, set the LDAP port to 636 or 3269 (secure LDAP ports).
attr
Specifies an LDAP attribute name.
attr_value
Specifies an LDAP attribute value.
Examples
Integrated Windows Authentication:
type=winauth name=CorpHQ src_ip=10.1.1.1,10.10.0.0-10.100.254.254 proxy_port=0 status=1 domain=BigCorp.com
NTLM:
type=ntlm name=CorpHQ src_ip=10.1.1.1,12.13.0.0-12.13.0.128 dc_list=HQdc1.BigCorp.com,HQdc2.BigCorp.com
LDAP:
type=ldap name=CorpHQ src_ip=10.1.1.1,12.13.0.0-12.13.0.128 server_name=HQldap1.BigCorp.com server_port=389
 
* 
Note 
Rules are applied by first match in the order listed.
Print print article Email email article Font Size: A A

Search

Article Rating:

Do you have any additional feedback?    Email: close

Related Articles

Quick Links

Service Requests

How are we doing?

Provide us feedback on your experience with the Service Request portal.

provide feedback >

Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Configuration Files > auth.config