Identification of hybrid users

Web Security Help | Web Security Solutions | Version 7.8.x

Related topics:

Websense Directory Agent

When users are not identified

Authentication priority and overrides

Working with hybrid service clients

Select Settings > Hybrid Configuration > Hybrid User Identification to configure how users are identified by the hybrid service, and to test and configure users' connections to the service. You can configure multiple authentication or identification options for your hybrid users if required.

To ensure that the appropriate per-user or per-group policy is applied to hybrid users, whether from a filtered location or when off-site, Websense Web Security Gateway Anywhere provides an option for identifying hybrid users transparently:

Websense Web Endpoint is installed on client machines to provide transparent authentication, enforce use of the hybrid service, and pass authentication details to the hybrid service. See Web Endpoint deployment overview.

Single sign-on, available beginning with 7.8.4, provides clientless transparent authentication via a gateway hosted on your network. See Integrating a single sign-on identity provider.

If you do not deploy either Web Endpoint or single sign-on, the hybrid service can identify users transparently or manually when they connect to the hybrid service.

Users can only be identified transparently via NTLM if they are logging on from a known IP address, defined as a filtered location (see Define filtered locations). Note that NTLM identification is not available for off site users.

The hybrid service can be configured to automatically generate passwords for all users whose information is collected by Directory Agent (see Configure user access to the hybrid service).

If you do not enable any form of transparent authentication:

Off site users without Web Endpoint or single sign-on (available beginning with 7.8.4) are prompted for an email address and password when they open a browser and connect to the Internet.

Other hybrid users are assigned policies based on their IP address if Web Endpoint, single sign-on, or NTLM identification are not available.

Indicate how the hybrid service should identify users requesting Internet access. These options are also used as a fallback if either the endpoint or single sign-on (available beginning with 7.8.4) fails.

Mark Always authenticate users on first access to enable transparent NTLM identification, secure form authentication, or manual authentication when users first connect to the hybrid service.

If you do not select this option and you have not enabled any other authentication methods for users in filtered locations, those users receive an IP address-based policy, and their identity does not appear in reports

Internet Explorer and Firefox can be used for transparent user identification. Other browsers will prompt users for logon information.

If Directory Agent is sending data to the hybrid service, using NTLM to identify users is recommended.

Mark Use NTLM to identify users when possible to use directory information gathered by Directory Agent to identify users transparently, if possible.

When this option is selected, the hybrid service uses NTLM to identify the user if the client supports it, and otherwise provides a logon prompt.


	Note When NTLM is used to identify users, do not use self-registration (configured on the User Access page under Registered Domains).

Mark Use secured form authentication to identify users to display a secure logon form to the end user. When the user enters their email address and hybrid service password, the credentials are sent over a secure connection for authentication.


	Note If Ping Federate is used as the identity provider, single sign-on cannot fall back to secured form authentication.

If you select this option, define how often users' credentials are revalidated for security reasons under Session Timeout. The default options are 1, 7, 14, or 30 days. Beginning with 7.8.4, the same session timeout applies to single sign-on, if enabled.


	Note It is possible to extend the Session Timeout options to 3 months, 6 months, and 12 months. To enable this extended feature, contact Support.

If the users have not previously registered to use the service, they can do so by clicking Register on the logon form. To use this option, enable self-registration (configured on the User Access page under Registered Domains). Advise end users not to use the same password for hybrid service access that they use to log on to the network.

If you do not select either the NTLM or the secured form authentication option, but Always authenticate users on first access is selected, users who could not be identified via another means see a logon prompt every time they access the Internet. Basic authentication is used to identify users who receive a logon prompt.

Specify whether or not a Welcome page is displayed when users who have not been identified via NTLM or who are not using secured form authentication open a browser to connect to the Internet. The Welcome page:

Provides a simple selection of common search engines to get the user started

Is used mainly by those who connect to the hybrid service from outside a filtered location (while working from home or traveling, for example)

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Once you have set up the hybrid service and configured user browsers to access the PAC file, you can use the links provided under Verify End User Configuration to make sure that end user machines have Internet access and are correctly configured to connect to the hybrid service.

If your hybrid service account has not been verified (which may mean that no email address has been entered on the Settings > General > Account page), the URLs are not displayed.