Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Global authentication options
Help | Content Gateway | v8.5.x
Use the Configuration > Security > Access Control > Global Authentication Options page to configure:
*
User authentication Fail Open/fail closed behavior
*
*
The Redirect Options (required for transparent proxy deployments)
(Note that this section was called Redirect Hostname prior to v8.5.4.)
*
These settings apply to all proxy user authentication configurations, within the parameters stated for each option below.
Whenever changes are made to any of these settings, click Apply to save your changes and then restart the proxy to put the changes into effect.
Fail Open
Fail Open specifies whether requests are allowed to proceed for processing when user authentication fails.
When Fail Open is enabled and a Forcepoint Web Security transparent identification agent is configured, if authentication fails and the client is identified by the agent, user-based policy is applied. If the user cannot be identified and a policy is assigned to the client's IP address, that policy is applied. Otherwise, the Default policy is applied.
 
Important 
Options include:
*
Disabled – specifies that requests do not proceed when authentication failures occur.
*
Enabled only for critical service failures (default) – specifies that requests proceed if authentication fails due to:
*
*
*
Enabled for all authentication failures, including incorrect password – specifies that requests proceed for all authentication failures, including password failures.
 
Important 
*
If Enabled only for critical service failures is selected, when a critical service failure occurs fail open is not applied. An error always results in fail closed.
*
If Enabled for all authentication failures, including incorrect password is selected, after trying basic credentials with every domain in the list, fail open is applied.
Credential Caching
Credential Caching options include:
*
*
*
*
Cookie Expiration (added in v8.5.3)
*
Credential caching settings apply to all clients whether Content Gateway is in transparent or explicit mode. In explicit mode, caching exceptions can be configured.
Credential caching applies to:
*
*
*
*
When IWA authenticates with Kerberos, Kerberos handles ticket (credential) caching.
Credential Caching selections
Cache all authentication credentials -- specifies that user credentials should be cached for all requests. This selection applies to both transparent and explicit proxy.
Cache all authentication credentials except from the specified IP addresses-- specifies that authentication credentials should not be cached when requests are made from the IP addresses added to the list provided. Exceptions listed here apply only when Content Gateway is in explicit proxy mode.
In the box provided, enter the IP addresses for which you do not want authentication information cached. Specify a comma separated list of IP addresses or IP address ranges that host multiple users.
 
Note 
Caching Method options
Cache using IP address only – specifies that all credentials are cached with IP address surrogates. This is the recommended method when all clients have unique IP addresses.
Cache using Cookies only – specifies that all credentials are cached with cookie surrogates. This is recommended when all clients share IP addresses, as with multi-host servers such as Citrix servers, or when traffic is NATed by a device that is forwarding traffic to Content Gateway.
Cache using both IP addresses and Cookies – specifies to use cookie surrogates for the IP addresses listed in the cookie caching list, and to use IP address surrogates for all other IP addresses. This is recommended when the network has a mix of clients, some with unique IP addresses and some using multi-user hosts or that are subject to NATing.
The cookie caching list is a comma separated list that can contain up to:
*
*
*
*
For a description of surrogate credentials, see Surrogate credentials.
 
Important 
 
Note 
Cache Time-To-Live
Cache Time-To-Live (TTL) specifies the duration, in minutes, that an entry in the cache is retained. When the TTL expires, the entry is removed and the next time that the user submits a request, the user is authenticated. If the authentication succeeds, an entry is placed in the cache.
The default TTL is 15 minutes. The range of valid values is 5 to 1440 minutes.
Cookie Expiration (added in v8.5.3)
Cookie caching allows a user to re-access the system without authentication until the cookie is no longer valid. Select Delete cookies upon logout to force cookies expire when the user ends a session.
This feature is recommended in deployments where multiple users share a machine.
LDAP Specific Settings
When enabled, Purge LDAP cache on authentication failure causes the proxy to delete the authorization record for the client from the LDAP cache when an LDAP user authentication failure occurs.
Redirect Options
(Prior to v8.5.4, this section was labeled Redirect Hostname.).
Redirect Options include:
*
Redirect Hostname specifies an alternate hostname for the proxy.
By default, authenticating clients are redirected to the hostname of the Content Gateway machine. If clients are unable to resolve that hostname through DNS, or if an alternate DNS name for the proxy is defined, that hostname should be specified in the Redirect Hostname field.
 
Note 
To ensure that user authentication for transparent proxy occurs transparently (without prompting the user for credentials), the browser must be configured so that the Redirect Hostname is in its Intranet Zone. Typically, this is achieved by ensuring that the Redirect Hostname is in the same domain as the computer on which the browser is running. For example, if the client is workstation.example.com and the Redirect Hostname is proxyhostname.example.com, the browser allows authentication to occur transparently. Consult your browser documentation.
 
Note 
Content Gateway supports transparent authentication in proxy clusters that use WCCP load distribution. However, the assignment method distribution attribute must be the source IP address. For more information see WCCP load distribution.
*
Redirect for HTTPS Authentication (added with v8.5.4) enables authentication of HTTPS requests over HTTPS, using port 8443.
By default, all authentication for HTTPS requests is done over HTTP, using port 8080. Click Enabled to direct all HTTPS requests to authenticate over HTTPS.
Cookie Sharing
Authentication credentials cached with cookie surrogates can be shared across all nodes in a cluster.
When cookie mode caching is enabled, after a user is authenticated the cookie for that user is used for subsequent authentication attempts by any of the proxies that are clustered with the proxy that did the initial authentication. This feature is especially useful in load balanced environments.
When either Cache using Cookies only or Cache using both IP addresses and Cookies is enabled, the Cookie Sharing option is automatically enabled.
 
Note 
*
Select Choose File for both Public and Private keys to import your own keys for use with this feature. Browse to the file you want to use and select it. Files must be in PEM format.
The same keys must be imported for each proxy in the cluster.
*
After selecting each file, click Import Keys to import custom keys (recommended) and store them in the default location.
Note that default keys are provided and are added when the product is installed or upgraded. The default files are:
/opt/WCG/config/cookie_auth_public.pem
/opt/WCG/config/cookie_auth_private.pem
Select the files you wish to import. The custom keys are automatically copied to this folder and renamed to the default names.
 
Important 
Keys must be PKCS#1 RSA public keys and are RSA 1024/2048/4096 bit public and private key pairs without a passphrase. Use the following commands to generate keys:
openssl genrsa -out cookie_auth_private.pem 1024
openssl rsa -in cookie_auth_private.pem -RSAPublicKey_out -out cookie_auth_public.pem
Change 1024 to 2048 or 4096 to generate 2048 or 4096 bit keys.
*
Select Save Public Key and Save Private Key to make a backup of the files.
Select the location and filenames to use for the backup copy, keeping in mind that the default names are always used for the active keys.
Key files should be backed up prior to importing new keys.
When load balancing has been configured, all proxies must use the same setting for Redirect Hostname. The value must be the fully qualified domain name (FQDN) of the load balancer.
 
Important 

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2020 Forcepoint. All rights reserved.