Support

Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Security > Proxy user authentication > Multiple realm authentication > Global authentication options
Global authentication options
Help | Content Gateway | Version 7.7.3
These settings apply when IWA negotiates NTLM or falls back to NTLM.
1.
Navigate to the Configure > Security > Access Control > Global Authentication Options tab.
2.
Fail Open – Specifies whether requests are allowed to proceed when user authentication fails.
When Fail Open is enabled and a Web Security transparent identification agent (XID) is configured, if authentication fails and the client is identified by the XID agent, user-based policy is applied. If the user cannot be identified and a policy is assigned to the client's IP address, that policy is applied. Otherwise, the Default policy is applied.
Fail Open options include:
*
Disabled – specifies that requests will not proceed when authentication fails.
*
Enabled only for critical service failures (default) – specifies that requests proceed if authentication fails due to:
*
No response from the domain controller
*
The client is sending badly formatted messages
*
Enabled for all authentication failures, including incorrect password – specifies that requests proceed for all authentication failures, including password failures.
3.
IP address-based NTLM Credential Caching is enabled by default. Credential caching applies only when Content Gateway is an explicit proxy. Credentials are cached when authentication is successful. When Multiple Realm Authentication is enabled, cookie-based credential caching can be specified in each realm rule. If it is not specified, this setting applies.
4.
Caching TTL sets the time-to-live for entries in the credential cache. The default TTL is 900 seconds (15 minutes). To change the TTL, enter a new value in the entry field. The range of supported values is 300 to 86400 seconds.
5.
If some users use terminal servers to access the Internet through the proxy (e.g., Citrix servers), you can create a list of those servers in the Multi-user IP Exclusions field. Credentials for such users are not cached. Enter a comma separated list of IP addresses and IP address ranges.
 
* 
Note 
Content Gateway supports transparent authentication in proxy clusters using WCCP load balancing. However, the assignment method distribution attribute must be the source IP. For more information see Configuring service groups in Content Gateway Manager.
Print print article Email email article Font Size: A A

Search

Article Rating:

Do you have any additional feedback?    Email: close

Related Articles

Quick Links

Service Requests

How are we doing?

Provide us feedback on your experience with the Service Request portal.

provide feedback >

Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Security > Proxy user authentication > Multiple realm authentication > Global authentication options