Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuration Options > Security > Access Control
Access Control
Help | Content Gateway | Version 8.1.x
Use the Access Control tabs to:
*
*
The Filtering tab is always available on the Access Control page.
Other tabs are dynamic based on the authentication method selected in the Authentication section of Configure > My Proxy > Basic.
If an authentication method is enabled, the Global Configuration Options tab is always displayed.
If Integrated Windows Authentication is selected, these tabs display:
*
*
If LDAP is selected, these tabs display:
*
*
If Radius is selected, these tabs display:
*
*
If NTLM is selected, these tabs display:
*
*
If Rule-Based Authentication is selected, these tabs display:
*
*
*
The tables below describe the purpose of each field on each tab. Use your browser's Search feature to find the field that you're looking for.
For a complete description of Content Gateway user authentication features, see Content Gateway user authentication.
Configure > Security > Access Control > Filtering
Filtering rules can be used to:
*
*
*
*
*
Rules are ordered checked prior to user authentication (if configured). Rules are applied based on first match in a top-down traversal of the list. If no rule matches, the request is allowed to proceed.
Rules are stored in filter.config.
After adding, deleting, or modifying a rule, restart Content Gateway.
For complete information about filtering rules, see Filtering Rules.
 
Lists the rules currently stored in filter.config. Select a rule to edit it. The buttons on the left of the box allow you to delete or move the selected rule up or down in the list.
Select allow to allow particular URL requests to bypass authentication.
Select deny to deny requests for objects from specific destinations. When a request is denied, the client receives an access denied message.
Select keep_hdr to specify which client request header information you want to keep.
Select strip_hdr to specify which client request header information you want to strip.
Select add_hdr to cause a custom header to be added to the request. This rule type requires that values be defined for Custom Header and Header Value. Add custom headers to satisfy specific requirements of a destination domain. See Filtering Rules.
The radius rule type is not supported.
dest_domain is a requested domain name.
dest_host is a requested host name.
dest_ip is a requested IP address.
url_regex is a regular expression to be found in a URL.
This option applies to only keep_hdr or strip_hdr rule types.
For use when the rule type is add_hdr. Specifies the custom header name that the destination domain expects to find in the request.
For use when the rule type is add_hdr. Specifies the custom header value that the destination domain expects to be paired with the custom header.
*
*
*
FTP (for FTP over HTTP only)
rtsp and mms are not supported.
Click Apply before you click Close; otherwise, all configuration changes will be lost.
Configure > Security > Access Control > Global Configuration Options
Use this page to specify global options for:
*
*
*
For more information, see Global authentication options.
 
Note 
 
Disabled – Prevents requests from proceeding to the Internet when an authentication failure occurs.
Enabled only for critical service failures (default) – Allows requests to proceed if authentication fails because there is no response from the domain controller or because the client is sending badly formatted messages.
Enabled for all authentication failures – Allows requests to proceed for all authentication failures, including password failures.
Important: When user authentication is rule-based with a domain list:
*
If Enabled only for critical service failures is selected, when a critical service failure occurs fail open is not applied. An error always results in fail closed.
*
If Enabled for all authentication failures, including incorrect password is selected, after trying basic credentials with every domain in the list, fail open is applied.
Important: The Fail Open setting does not apply when IWA is the authentication method and the client fails to retrieve a kerberos ticket from the domain controller (DC) because the DC is down. The Fail Open setting does apply with IWA when IWA falls back to NTLM and authentication fails.
Cache using IP address only – specifies that all credentials are cached with IP address surrogates. This is the recommended method when all clients have unique IP addresses.
Cache using Cookies only – specifies that all credentials are cached with cookie surrogates. This is recommended when all clients share IP addresses, as with multi-host servers such as Citrix servers, or when traffic is NATed by a device that is forwarding traffic to Content Gateway.
Cache using both IP addresses and Cookies – specifies to use cookie surrogates for the IP addresses listed in the cookie caching list, and to use IP address surrogates for all other IP addresses. This is recommended when the network has a mix of clients, some with unique IP addresses and some using multi-user hosts or that are subject to NATing.
Configure > Security > Access Control > IWA
The Integrated Windows Authentication (IWA) page appears only if you have enabled IWA in the Features table on the Configure > My Proxy > Basic > General tab.
Use this page to join or unjoin the Windows domain. When a domain has been joined, the page provides a summary of the domain attributes and an Unjoin button.
For a complete description, see Integrated Windows Authentication.
 
Note: The name and password are used only during the join and are not stored.
IMPORTANT: Once the domain is joined the hostname cannot be changed. If it is, IWA will immediately stop working until the domain is unjoined and then rejoined with the new hostname.
Configure > Security > Access Control > LDAP
The LDAP configuration options appear on the Configure pane only if you have enabled LDAP in the Features table on the Configure > My Proxy > Basic > General tab.
For more information on configuring LDAP see LDAP authentication.
 
Configure > Security > Access Control > Radius
The Radius configuration options appear on the Configure pane only if you have enabled Radius in the Features table on the Configure > My Proxy > Basic > General tab.
For more information on configuring Radius, see RADIUS authentication.
 
Radius
Configure > Security > Access Control > NTLM
The NTLM configuration options appear on the Configure pane only if you have enabled NTLM in the Features table on the Configure > My Proxy > Basic > General tab.
For more information on configuring NTLM, see Legacy NTLM authentication.
 
Note: When multiple domain controllers are specified, even if load balancing is disabled, when the load on the primary domain controller reaches the maximum number of connections allowed, new requests are sent to a secondary domain controller as a short-term failover provision, until such time that the primary domain controller can accept new connections.
Configure > Security > Access Control > Domains
The Domains tab appears in the Access Control list only if you have enabled Rule-Based Authentication in the Features table on Configure > My Proxy > Basic > General.
Use this tab to create and maintain a list of domains that can be specified in authentication rules. Use the Authentication Rules tab to define authentication rules. Be sure to set the Global authentication options.
 
Important 
 
Use the Edit button to change some attributes associated with the domain.
Use the Delete or Unjoin button to remove a domain from the list.
Use the New Domain button to add a domain to the Domains list. The screen is expanded to allow for specification of the domain.
New Domain action
Important: You cannot change the domain identifier after it has been added to the list. To change the name, delete the entry from the list and re-add it with the new name.
Important: You cannot change the authentication method after you add the domain to the list. To change the authentication method, delete the entry from the list and re-add the domain specifying the new authentication method.
Note: The name and password are used only during the join and are not stored.
Warning: Once the domain is joined the hostname cannot be changed. If it is, IWA will immediately stop working until the domain is unjoined and then rejoined with the new hostname.
Note: When multiple domain controllers are specified, even if load balancing is disabled, when the load on the primary domain controller reaches the maximum number of connections allowed, new requests are sent to a secondary domain controller as a short-term failover provision, until such time that the primary domain controller can accept new connections.
Configure > Security > Access Control > Authentication Rules
The Authentication Rules tab appears in the Access Control list only if you have enabled Rule-Based Authentication in the Features table on the Configure > My Proxy > Basic > General tab.
Use this tab to create and maintain authentication rules. Use the Domains tab to build and maintain a list of domains that can be used in authentication rules. You must configure the Domains list before you define authentication rules.
Be sure to set the Global authentication options.
 
Important 
 
Warning: Do not edit rules directly in the configuration file.
Specifies the inbound port for traffic when Content Gateway is deployed as an explicit proxy. If undefined, all ports match, as configured on Configure > Protocols > HTTP > General. Transparent proxy deployment should leave this field undefined.
Best practice: If you know what domain a set of users belongs to, create a rule just for that group.
Best practice: Place the rule with the largest number of users authenticating with known domain membership at the top of the list. These are the fastest authentications.
Best practice: If you don't know what domain a set of users belongs to, specify the fewest number of domains needed to authenticate the users in the set.
Best practice: It is always better to create targeted rules because attempting to authenticate against a large set of domains can introduce noticeable latency.
Important: When user authentication is rule-based with a domain list:
For Fail Open:
*
If Enabled only for critical service failures is selected, the fail open setting is not applied. The user continues to be prompted for credentials until there is a timeout.
*
If Enabled for all authentication failures, including incorrect password is selected, after trying basic credentials with every domain in the list, fail open is applied.
Click Enabled for HTTPS/HTTP Authentication page to redirect users to a customizable web portal page for authentication.
Important: If the rule specifies a regex for User-Agent, the regex is validated when Apply is clicked. If the regex is not valid, the rule is deleted and must be recreated.
Click Apply before you click Close; otherwise, all configuration changes will be lost.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuration Options > Security > Access Control
Copyright 2016 Forcepoint LLC. All rights reserved.