Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Security > Content Gateway user authentication > Global authentication options
Global authentication options
Help | Content Gateway | Version 8.1.x
Use the Configuration > Security > Access Control > Global Authentication Options page to configure:
*
User authentication Fail Open/fail closed behavior
*
*
The Redirect Hostname (required for transparent proxy deployments)
These settings apply to all proxy user authentication configurations, within the parameters stated for each option below.
Whenever changes are made to any of these settings, click Apply to save your changes and then restart the proxy to put the changes into effect.
Fail Open
Fail Open specifies whether requests are allowed to proceed for processing when user authentication fails.
When Fail Open is enabled and a TRITON AP-WEB XID agent is configured, if authentication fails and the client is identified by the XID agent, user-based policy is applied. If the user cannot be identified and a policy is assigned to the client's IP address, that policy is applied. Otherwise, the Default policy is applied.
 
Important 
Options include:
*
Disabled – specifies that requests do not proceed when authentication failures occur.
*
Enabled only for critical service failures (default) – specifies that requests proceed if authentication fails due to:
*
*
*
Enabled for all authentication failures, including incorrect password – specifies that requests proceed for all authentication failures, including password failures.
 
Important 
*
If Enabled only for critical service failures is selected, when a critical service failure occurs fail open is not applied. An error always results in fail closed.
*
If Enabled for all authentication failures, including incorrect password is selected, after trying basic credentials with every domain in the list, fail open is applied.
Credential Caching
Credential Caching options include:
*
*
*
Credential caching settings apply to all clients whether Content Gateway is an explicit or transparent proxy.
Credential caching applies to:
*
*
*
*
When IWA authenticates with Kerberos, Kerberos handles ticket (credential) caching.
Caching Method options
Cache using IP address only – specifies that all credentials are cached with IP address surrogates. This is the recommended method when all clients have unique IP addresses.
Cache using Cookies only – specifies that all credentials are cached with cookie surrogates. This is recommended when all clients share IP addresses, as with multi-host servers such as Citrix servers, or when traffic is NATed by a device that is forwarding traffic to Content Gateway.
Cache using both IP addresses and Cookies – specifies to use cookie surrogates for the IP addresses listed in the cookie caching list, and to use IP address surrogates for all other IP addresses. This is recommended when the network has a mix of clients, some with unique IP addresses and some using multi-user hosts or that are subject to NATing.
The cookie caching list is a comma separated list that can contain up to:
*
*
*
*
For a description of surrogate credentials, see Surrogate credentials.
 
Important 
 
Note 
Cache Time-To-Live
Cache Time-To-Live (TTL) specifies the duration, in minutes, that an entry in the cache is retained. When the TTL expires, the entry is removed and the next time that that user submits a request, the user is authenticated. If the authentication succeeds, an entry is placed in the cache.
The default TTL is 15 minutes. The range of valid values is 5 to 1440 minutes.
LDAP Specific Settings
When enabled, Purge LDAP cache on authentication failure causes the proxy to delete the authorization record for the client from the LDAP cache when an LDAP user authentication failure occurs.
Redirect Hostname
Redirect Hostname specifies an alternate hostname for the proxy.
 
Note 
By default, authenticating clients are redirected to the hostname of the Content Gateway machine. If clients are unable to resolve that hostname through DNS, or if an alternate DNS name for the proxy is defined, that hostname should be specified in the Redirect Hostname field.
 
Note 
To ensure that user authentication for transparent proxy occurs transparently (without prompting the user for credentials), the browser must be configured so that the Redirect Hostname is in its Intranet Zone. Typically, this is achieved by ensuring that the Redirect Hostname is in the same domain as the computer on which the browser is running. For example, if the client is workstation.example.com and the Redirect Hostname is proxyhostname.example.com, the browser allows authentication to occur transparently. Consult your browser documentation.
 
Note 
Content Gateway supports transparent authentication in proxy clusters that use WCCP load distribution. However, the assignment method distribution attribute must be the source IP address. For more information see WCCP load distribution.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Security > Content Gateway user authentication > Global authentication options
Copyright 2016 Forcepoint LLC. All rights reserved.