When configuring authentication, you need to consider the type of deployment that is configured for handling the traffic between Web Gateway and its clients, such as the explicit proxy mode or a transparent mode. For each type, there is a rule set in the rule set library that is best suited to handle authentication.
The following two questions are important with regard to the authentication process:
- How are the user credentials that are evaluated during this process obtained by Web Gateway?
NOTE: This part of the authentication process is sometimes referred to as the authentication front-end.
The method for obtaining user credentials depends on whether the explicit proxy mode (also known as direct proxy mode) or a transparent mode (transparent router or bridge mode) is configured for handling the traffic between Web Gateway and its clients.
For the explicit proxy mode, you can configure that clients use a service under the WCCP protocol to send requests as an additional option.
The rule set library provides suitable rule sets for each of these modes.
- How should credentials be evaluated once they have been obtained?
This is sometimes referred to as the authentication back-end.
The evaluation of credentials depends on the authentication method that is configured, for example, LDAP or NTLM.
Library rule sets for authentication
The rule sets for configuring authentication are located in the Authentication rule set group of the rule set library.
The following table shows which of these rule sets are recommended for particular types of deployment.
|Deployment type||Recommended library rule set|
Explicit proxy mode
Direct Proxy Authentication and Authorization
Transparent router or bridge mode
Authentication Server (Time/IP Based Session)
Explicit proxy mode with WCCP
If traffic is processed in:
After importing a rule set from the library, you can modify its rules to adapt them further to the needs of your network.
Position in the rule sets tree
An authentication rule set should be placed after the Global Whitelist rule set, but before the Common Rules rule set (if you keep these items from the default rule sets tree).
Placing an authentication rule set in this way ensures that a user needs not be authenticated when sending a request for accessing a web object that is on the global whitelist.
Authentication for the explicit proxy mode
When configuring authentication for the explicit proxy mode, a suitable rule set must be implemented on Web Gateway.
Library rule set for the explicit proxy mode
The recommended library rule set for the explicit proxy mode is Direct Proxy Authentication and Authorization.
This rule set has two nested rule sets:
- Authenticate with User Database
- Authorize User Groups
When this rule set is implemented, the authentication process is performed for each request that is received from a client of Web Gateway unless an exception rule applies.
Using this rule set is also the preferred way of handling authentication when Citrix is installed or workstations are shared in a configuration.
Direct Proxy Authentication and Authorization rule set
This rule set contains rules for making exceptions that allow a request to be processed on Web Gateway without authenticating the user who sent the request.
Exceptions can be based on:
- The IP address of the client that a request was sent from
- The URL of the web object that is the destination of the request
Using these rules you can ensure that requests coming in from trusted clients or going out to trusted destinations are spared the effort of performing an authentication process for their users, which increases performance.
You can also create rules of your own and add them to this rule set to allow for more exceptions.
Authenticate with User Database nested rule set
This rule set contains a rule that lets authentication be performed for a user who sends a request for web access from a client of Web Gateway. The user is asked to submit credentials, which are evaluated based on information that is stored in the internal user database.
The rule set applies if the user in question has not yet been authenticated and not tried unsuccessfully to authenticate before. The Authentication.Is.Authenticated and Authentication.Failed properties are used to check this.
Instead of using information from the internal user database to evaluate the credentials, you can configure a different authentication method, for example, LDAP or NTLM.
Authorize User Groups nested rule set
This rule set contains a rule that allows only requests of authorized users, which means a request is blocked if the user who sent it is not a member of one of the user groups on a particular list. The request is blocked, even if the user has successfully passed the evaluation that was performed before.
This rule allows you to implement an additional security check. If you want to use it, you need to fill the list that is used in this rule set with user groups. If you do not want to use it, you can disable or delete the rule set.
Modifying the rule set for the explicit proxy mode
When configuring authentication for the explicit proxy mode, you can modify the library rule set to adapt it to the needs of your network.
- Changing the authentication method
- Modifying, disabling, or deleting user authorization
- Configuring more exception rules
Changing the authentication method
By default, the method used for evaluating credentials is comparing them to the information stored in the internal user database.
To change this authentication method (authentication back-end), you need to configure the settings that appear next to the Authentication.Authenticate property in the only rule of the Authenticate with User Database rule set.
Under Authentication method, a list of authentication methods is provided to let you select a method that is better suited to the needs of your network, for example, LDAP or NTLM.
Modifying, disabling, or deleting user authorization
The nested Authorized User Groups rule set allows only requests from authorized users. You can fill the list that is provided in the only rule of this rule set with user groups as needed.
If you do not want to use this rule as an additional security check, you can disable or delete the rule set.
Configuring more exception rules
You can add rules to the Direct Proxy Authentication and Authorization rule set to cover more exceptions from the authentication process.
If any of these rules applies, processing of the rule set is stopped, which means it is not executed for the nested rule sets that handle authentication.
For example, you can add a rule to allow requests when the browser on the client they were sent from runs with a particular user agent. Information about the user agent is taken from the request header.
The rule might look as follows:
Skip authorization for user agents that are in list Allowed User Agents
Header.Request.Get ("User-Agent") matches in list Allowed User Agents –> Stop Rule Set
Another rule could allow requests for access to objects on web servers with IP addresses that are on a particular list. The IP address is taken from the URL that was submitted with a request.
This rule might look as follows:
Skip authorization for destination IPs that are in list Allowed Destination IPs
URL.Destination.IP is in range list Allowed Destination IPs –> Stop Rule Set