Authentication Settings
The Authentication settings are the settings for the Authentication module (engine), which handles the authentication of users who request web access.
Authentication Method
Settings for selecting an authentication method
| Option | Definition |
|---|---|
| Authentication method | Provides a list for selecting an authentication method.
After selecting a method, settings that are specific to it appear below the common settings. |
Authentication Test
Settings for testing whether a user with given credentials would be authenticated
| Option | Definition |
|---|---|
| User | Specifies the user name that is tested. |
| Password | Specifies the tested password. |
| Authenticate User | Executes the test. |
| Test result | Displays the outcome of the test. |
Common Authentication Parameters
Settings common to all authentication methods
There is also an advanced setting that is common to all authentication methods. It is described after the last of the subsections for specific authentication parameters.
| Option | Definition |
|---|---|
| Proxy Realm | Specifies the location of the proxy that receives requests from users who are asked to authenticate. |
| Authentication attempt timeout | Limits the time (in seconds) that elapses before the authentication process finishes if not completed successfully to the specified value. |
| Use authentication cache |
When selected, authentication information is stored in a cache. Authentication is then based on this stored information, rather than on information retrieved from an authentication server or the internal user database |
| Authentication cache TTL | Limits the time (in minutes) that authentication information is stored in the cache to the specified value. |
NTLM-specific Parameters
Settings for the NTLM authentication method
| Option | Definition |
|---|---|
| Send domain and machine name to the client |
When selected, the names of the appliance and its domain are sent to the client that a user who is to be authenticated sent a request from An appliance can be joined to more than one domain, so different domain names can be used when connecting to a client, which can lead to problems with user authentication. Sending a particular domain name to the client might result in an authentication failure because a particular user name is unknown in this domain. Web browsers do usually not require domain name information, but some third-party applications that Web Gateway works with might require it. So we recommend proceeding as follows:
There are, however, applications that require this option to be selected anyway. Otherwise they will close the connection to Web Gateway. This applies, for example, to some .NET based applications and to some popular open-source products, such as the Cntlm proxy. |
| Default NTLM domain |
Specifies the name of the default Windows domain used for looking up authentication information. This is one of the domains you have configured on the Appliances tab of the Configuration top-level menu. |
| Get global groups | When selected, information about global user groups is searched for on the Windows domain server. |
| Get local groups | When selected, information about local user groups is searched for on the Windows domain server. |
| Prefix group name with domain name (domain \group) | When selected, the name of the Windows domain appears before the name of the user group when authentication information about this group is sent from the domain server |
| Enable basic authentication |
When selected, the basic NTLM authentication method is applied to authenticate users. Information that a user submits for authentication is then sent in plain-text format (less secure) to the Windows domain server. |
| Enable integrated authentication |
When selected, the integrated NTLM authentication method is applied to authenticate users. Information that a user submits for authentication is then encrypted before it is sent to the Windows domain server. |
| Enable NTLM cache |
When selected, NTLM authentication information is stored in this cache. Authentication is then based on this stored information, rather on information retrieved from the Windows domain server. |
| NTLM cache TTL | Limits the time (in seconds) that authentication information is stored in this cache to the specified value. |
| International text support |
Specifies a set of characters used by default for a request sent from a client, for example, ISO-8859-1. |
NTLM-Agent-specific Parameters
Settings for the NTLM Agent authentication method
| Option | Definition |
|---|---|
| Use secure agent connection | When selected, the connection used for communicating with the NTML Agent is SSL-secured. |
| Authentication connection timeout in seconds | Limits the time (in seconds) that elapses before the connection to the NTLM Agent is closed if no activities occur on it to the specified value. |
| Agent Definition | Provides a list for entering the agents that are involved in performing NTLM authentication. |
| Default NTLM domain |
Specifies the name of the default Windows domain used for looking up authentication information. This is one of the domains you have configured on the Appliances tab of the Configuration top-level menu. |
| Get global groups | When selected, information about global user groups is searched for on the Windows domain server. |
| Get local groups | When selected, information about local user groups is searched for on the Windows domain server. |
| Prefix group name with domain name (domain\group) | When selected, the name of the Windows domain appears before the name of the user group when authentication information about this group is sent from the domain server. |
| Enable basic authentication |
When selected, the basic NTLM authentication method is applied to authenticate users. Information that a user submits for authentication is then sent in plain-text format (less secure) to the Windows domain server. |
| Enable integrated authentication |
When selected, the integrated NTLM authentication method is applied to authenticate users. Information that a user submits for authentication is then encrypted before it is sent to the Windows domain server. |
| Enable NTLM cache |
When selected, NTLM authentication information is stored in this cache. Authentication is then based on this stored information, rather on information retrieved from the Windows domain server. |
| NTLM cache TTL | Limits the time (in seconds) that authentication information is stored in this cache to the specified value. |
| International text support | Specifies a set of characters used by default for a request sent from a client, for example, ISO-8859-1. |
User-Database-specific Parameters
Settings for the User Database authentication method
| Option | Definition |
|---|---|
| Send domain and machine name to the client | When selected, the names of the appliance and the domain it has been assigned to are sent to the client that a user who is to be authenticated sent a request from. |
| Enable basic authentication |
When selected, the basic NTLM authentication method is applied to authenticate users. Information that a user submits for authentication is then sent in plain-text format (less secure) to the Windows domain server. |
| Enable integrated authentication |
When selected, the integrated NTLM authentication method is applied to authenticate users. Information that a user submits for authentication is then encrypted before it is sent to the Windows domain server. |
| Enable NTLM cache |
When selected, NTLM authentication information is stored in this cache. Authentication is then based on this stored information, rather on information retrieved from the Windows domain server. |
| NTLM cache TTL | Limits the time (in seconds) that authentication information is stored in this cache to the specified value. |
| International text support | Specifies a set of characters used by default for a request sent from a client, for example, ISO-8859-1. |
LDAP-specific Parameters
Settings for the LDAP authentication method
| Option | Definition |
|---|---|
| LDAP server(s) to connect to | Provides a list for entering the LDAP servers that authentication information is retrieved from. |
| List of certificate authorities | Provides a list for entering the certificate authorities that issue certificates when a Secure LDAP (S-LDAP) connection is used for communication with an LDAP server. |
| Credentials | Specifies the user name of an appliance for logging on to an LDAP server. |
| Password |
Sets the password for a user name. The Set button opens a window for configuring a new password. |
| International text support | Specifies a set of characters used by default for a request sent from a client, for example, ISO-8859-1. |
| Enable LDAP version 3 |
When selected, version 3 of the LDAP protocol is used. If you want to configure Secure LDAP authentication, also known as LDAPS, it is this LDAP version that you must use. This version is by default selected. |
| Allow LDAP library to follow referrals | When selected, the lookup of user information can be redirected from the LDAP server to other servers. |
| Connection live check | Limits the time (in minutes) that elapses between checks to see whether the connection to the LDAP server is still active to the specified value. |
| LDAP operation timeout | Limits the time (in seconds) that elapses before the connection to the LDAP server is closed if no communication occurs to the specified value. |
| Base distinguished name to user objects | Specifies the Distinguished Name (DN) in the directory on an LDAP server where the lookup of user attributes should begin. |
| Map user name to DN |
When selected, the name of the user who asks for authentication must map to a DN (Distinguished Name). This name identifies the user in the directory on the LDAP server. |
| Filter expression to locate a user object |
Specifies a filtering term for restricting the lookup of user attributes To substitute the user name in the filtering term, u% is used as a variable. |
| Get user attributes | When selected, user attributes are looked up on the LDAP server to authenticate a user. |
| User attributes to retrieve | Provides a list for entering the user attributes that should be retrieved from an LDAP server. |
| Attributes concatenation string | Specifies a string for separating user attributes found by a lookup, for example, / (slash). |
| Get groups attributes | When selected, user group attributes are also looked up on the LDAP server to authenticate a user. |
| Base distinguished name to group objects | Specifies the Distinguished name (DN) in the directory on the LDAP server where the lookup of group attributes should begin. |
| Filter expression to locate a group object |
Specifies a filtering term for restricting the lookup of group attributes To substitute the user name in the filtering term, u% is used as a variable. |
| Group attributes to retrieve | ve Provides a list for entering the group attributes that should be retrieved from an LDAP server. |
Digest Authentication
Settings for LDAP digest authentication
| Option | Definition |
|---|---|
| Enable digest authentication | When selected, digest authentication is performed as method for authenticating users under LDAP. |
| Digest algorithm |
Lets you select an algorithm to calculate hash values for passwords. When user credentials are submitted from a browser to the proxy on Web Gateway, the password is encrypted using this hash. You can select one of the following:
|
| User attribute with password hash | Specifies the attribute of a user entry on the LDAP server that stores the value for the authentication hash. |
| Nonce maximal use count |
Sets a limit to repeated uses of the nonce (number only once) that is transmitted in the authentication process and required as a parameter for calculating the authentication hash. The maximum number of times that a nonce can be used by default is 100. |
| Nonce maximal TTL |
Sets a limit to the time period (in minutes) that a nonce remains valid The maximum time that a nonce can remain valid by default is 30 minutes. |
| Enable digest URI check |
When selected, a check is performed to ensure that the URL that a client sends as a parameter for calculating the authentication hash is the same as the URL that this client sends in its request for accessing a particular destination in the web. If this check fails, the request is blocked. As this check might also fail due to problems with the different formats that the browsers on the clients use for sending URLs, it is optional. The check is enabled by default. |
| Allow digest authentication only | When selected, digest authentication must always be performed if a user is to be authenticated under the LDAP authentication method. |
RADIUS-specific Parameters
Settings for the RADIUS authentication method
| Option | Definition |
|---|---|
| RADIUS server definition | Provides a list for entering the RADIUS servers that authentication information is retrieved from. |
| Default domain name | Specifies the name of the domain that information is retrieved from if no other domain is specified. |
| Shared secret | Sets the password used by an appliance to get access to a RADIUS server. |
| Radius connection timeout in seconds | Limits the time (in seconds) that elapses before the connection to the RADIUS server is closed if no traffic occurs to the specified value. |
| International text support | Specifies the set of characters used by default for a request sent from a client, for example, ISO-8859-1. |
| Value of attribute with code |
Sets the code value for the attribute retrieved with the user group information, according to RFC 2865. For example, 25 is the code for the “class” attribute. |
| Vendor specific attribute with vendor ID |
Sets the Vendor ID that is required for retrieving vendor-related data in the search for user group information. According to RFC 2865, the vendor ID is a part of the vendor attribute, followed by several subattributes. Its code value is 26. |
| Vendor subattribute type |
Sets a code value for the type of subattributes included in a vendor attribute. according to RFC 2865. Since not all vendors adhere to this structure, we recommend specifying 0 as value here. This allows the authentication module to retrieve all available vendor information. |
Kerberos-specific Parameters
Settings for the Kerberos authentication method
More settings for this authentication method can be configred using the Kerberos Administration system settings, which can be accessed under the Configuration top-level menu.
| Option | Definition |
|---|---|
| Extract group membership IDs from the ticket |
When selected, information to identify the groups that a user is a member of is retrieved from the ticket that is used in the process of authenticating users under the Kerberos authentication method. When this option is selected, the following option becomes accessible. |
| Look up group names via NTLM | When selected, the names of the groups that a user is a member of are retrieved using the NTLM authentication method. |
Authentication-Server-specific Parameters
Settings for the Authentication Server method
| Option | Definition |
|---|---|
| Authentication server URL | Specifies the URL of a server that information is retrieved from under this method to authenticate users. |
| Require client ID | When selected, authentication is performed based on the ID of the client that a user sent a request from. If appropriate information is stored on the authentication server under this ID, the user is authenticated. |
| Store authentication result in a cookie | When selected, authentication is performed based on the information that is stored on the authentication server. The result of the authentication is also stored in a cookie. This is done when a user is authenticated for the first time. When the same user sends the next request, authentication is performed based on the information stored in the cookie. The user is not prompted to authenticate again. |
| Allow persistent cookie for the server | When selected, a cookie can be used persistently to authenticate a user. |
| Cookie TTL for the authentication server in seconds | Limits the time (in seconds) that a cookie for authenticating a user is stored. |
| Cookie prefix | Specifies a prefix that is added to a cookie when authentication is performed on Secure Web Gateway, for example, MWG_Auth. |
One-Time-Passwords-specific Parameters
Settings for the One-time Password authentication method
| Option | Definition |
|---|---|
| OTP server | Specifies the IP address and port number of the OTP server that Web Gateway connects to when authenticating a user under the One-time Password authentication method. |
| Communicate with SSL and trust certificate below |
When selected, communication with the OTP server is performed using an SSL-secured connection. When this option is selected, the information in the following four fields is no longer grayed out and the Import button below these fields becomes accessible. The fields provided detailed information about the certificate that is currently used in SSL-secured communication with the OTP server.
|
| WS client name | Specifies the user name for Web Gateway in communication with the OTP server. |
| WS client password | Specifies the password for Web Gateway in communication with the OTP server. |
| OTP message |
Specifies the prefix to messages that are sent from the OTP server to Web Gateway and the delimiters that include a message. By default a message looks like this:
|
Advanced Parameter
Setting for configuring advanced authentication
| Option | Definition |
|---|---|
| Always evaluate property value |
When selected, a new evaluation to assign a value to a property is performed each time a rule containing this property is processed. If a value has been stored for a property in the cache, it is not used. While using cache values is recommended to improve performance, there can be situations where the new evaluation of a property is required. In these situations, the same property is used more than once within the authentication rules and with the same settings of the Authentication module. A new evaluation ensures the most current value is assigned to the property each time. |