Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Creating an authentication rule
Help | Content Gateway | Version 8.1.x
Before you create an authentication rule you must:
*
Enable Rule-Based Authentication on Configure > My Proxy > Basic > General.
*
*
You must also know:
*
*
By:
*
*
*
*
To create a rule:
 
Note 
In the Rule editor, after entering all specifiers, click Add before clicking Apply. If Apply is clicked first, or the edit window is closed, all entry fields are cleared.
1.
Go to Configure > Security > Access Control and review and adjust the Global Authentication Options and Domains list.
2.
If AD domains are used with IWA, go to Monitor > Security > Integrated Windows Authentication and confirm that the IWA domains are joined and that connections are established.
3.
Go to Configure > Security > Access Control > Authentication Rules. A list of existing authentication rules is displayed at the top of the page.
4.
Click Edit File to open the rule editor.
5.
 
Important 
6.
Select Status Enabled if you want the rule to be active after the rule is added and Content Gateway is restarted.
7.
Enter a unique Rule Name (required). A short, descriptive name will help you recognize the rule and its purpose. It is recommended that the name not exceed 50 characters.
8.
If the rule applies to specific IP addresses, in the Source IP Addresses field, enter a comma-separated list of individual IP addresses and/or IP address ranges. Do not use spaces. For example:
10.4.1.1,10.12.1.1-10.12.254.254
The list can contain up to:
*
*
*
*
Source IP address ranges can overlap. Overlapping ranges may be useful as a quick way of identifying sub-groups in a large pool. In overlapping ranges, the first match is used.
If this field is empty (undefined), all IP addresses match.
9.
If the rule applies to inbound traffic on a specific port, select the Proxy Port from the drop down list. This option is valid with explicit proxy only.
Inbound ports are specified on the Configure > My Proxy > Protocols > HTTP > General page in the Secondary HTTP Proxy Server Ports field. Client applications must be configured to send requests to the desired port.
If undefined, all ports match. Transparent proxy deployments should leave the field undefined.
10.
To apply the rule to specific User-Agent values, enter POSIX-compliant regular expressions (regex) to match the desired values. To specify a common browser type, select a Predefined regex from the drop down list and click Include.
If undefined, all User-Agents match.
You can edit the field directly.
Use the "|" character (logical 'or') to separate regexes.
The "^" regex operator is not supported.
The regex is validated when the rule is committed to the configuration file, which happens after clicking Add or Set and then Apply. If the regex is not valid, the rule is deleted and must be recreated with a valid regex.
For an extended description and examples, see Authentication based on User-Agent.
11.
a.
From the Domains drop down list, select the applicable domain and click Include. Only domains that have been added to the Domains list are available (Configure > Security > Access Control > Domains).
b.
If an ordered list of domains will be used, select each domain one at a time and click Include. Then select domains in the list and use the up and down arrows to achieve the desired order.
 
Important 
The Fail Open/fail closed setting is applied after every domain in the list is tried.
12.
Next to Captive Portal, click:
*
Enabled for HTTPS Authentication page to redirect users to a customizable web portal page for authentication.
When this selection is enabled, the page will display using HTTPS.
When HTTPS is used, a server certification is generated based on the internal root CA. To use this feature, you must import the internal root CA to ensure there is no certificate error. See Importing your Root CA for details.
*
Enabled for HTTP Authentication page to redirect users to a customizable web portal page for authentication.
With this selection, the page is displayed using the HTTP protocol.
This option is disabled if an IWA domain is included in the domains list.
If this option is enabled and an IWA domain is added to the domains list, an error message will display.
Note that when Content Gateway receives an unauthenticated POST request from a user who matches a Captive Portal rule, it redirects the user to the web portal authentication page and does not record the POST data. After successful authentication, the original POST data must be input again.
See Authentication using Captive Portal for additional details.
13.
Click Add to add the rule.
14.
15.
Click Apply and then restart Content Gateway to put the rule into effect.
 
Warning 

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2016 Forcepoint LLC. All rights reserved.