Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Security > Content Gateway user authentication > Integrated Windows Authentication > Configuring Integrated Windows Authentication with a load balancer
Configuring Integrated Windows Authentication with a load balancer
Integrated Windows Authentication (IWA) with a load balancer is supported.
 
Important 
Transparent proxy deployments do not require any special configuration.
Explicit proxy deployments that are behind a load balancer require a custom configuration
With Content Gateway, IWA uses the Kerberos protocol, with NTLM fallback.
In a load-balanced environment:
*
*
*
To restate the problem, it's not possible to configure clients to request Content Gateway's Kerberos ticket because the client's operating system handles the ticket request based on the FQDN of the proxy, which resolves to the VIP of the load balancer.
Normally, Content Gateway would be configured to share the hostname of the load balancer, but this is not possible when the load balancer requires hostname resolution (as with DNS-based load balancing).
Because it's not possible to stop clients from sending a load-balancer's Kerberos ticket to Content Gateway, the proxies must be configured to accept the load-balancer's ticket, making the Content Gateway nodes appear as the load-balancer within the scope of Kerberos.
Please contact Websense Technical Support for detailed, step-by-step configuration instructions.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Security > Content Gateway user authentication > Integrated Windows Authentication > Configuring Integrated Windows Authentication with a load balancer
Copyright 2016 Forcepoint LLC. All rights reserved.