User identification and authentication with Forefront TMG

Applies to:
  • Forcepoint URL Filtering, v8.5.x

In order to apply user and group-based policies to Internet requests, Filtering Service must receive information about the user making the request. If no user information is available, only IP address-based policies or the Default policy can be applied to requests.

To ensure that Filtering Service receives user information, you can:

  • Enable authentication within TMG.
  • Install a transparent identification agent (DC Agent, Logon Agent, eDirectory Agent, or RADIUS Agent).
  • Enable manual authentication within your web protection software. Users who cannot be identified by other means are prompted for logon information when they open a browser.

See Manual Authentication for more information.

TMG clients

These TMG clients are supported:

The term clients in this environment refers to computers or applications that run on computers and rely on a server to perform some operations.

Each type of client can be configured so that your web protection software can obtain user identification and manage Internet requests based on user and group policies.

Firewall/Forefront TMG and SecureNAT clients

Firewall/Forefront TMG and SecureNAT clients cannot identify users transparently without special settings. These clients require a transparent identification agent to authenticate users. To enable user-based security policies with these clients, select one of these options:

  • Configure computer browsers to access the Internet through TMG. This configuration allows Firewall/Forefront TMG and SecureNAT clients to also work as Web Proxy clients.

    If you choose this option, see Web Proxy clients for more information.

  • If you are using a Windows-based directory service, disable all authentication methods within TMG and use transparent identification. This method allows Filtering Service to obtain user identification from the network’s directory services.

    See Transparent identification, for more information.

  • Enable your software to prompt users for authentication (manual authentication). This method allows your web protection software to obtain the user information it needs if neither the TMG nor a transparent identification agent provides the information.

    See Manual Authentication for more information.

Web Proxy clients

After the browser is configured to use TMG as a proxy server, Web Proxy clients send Internet requests directly to TMG. You can assign individual user or group policies with one of the following methods.

  • If your network uses only Microsoft Internet Explorer™ browsers, you can enable Integrated Windows Authentication within TMG to identify users transparently.
  • If you are using a Windows-based directory service with various browsers, you can identify users transparently by disabling all authentication methods within TMG and implementing transparent identification.

    See Transparent identification, for more information.

  • If the network uses a mixture of browsers, you can enable one or more of TMG’s authentication methods. Some of these methods may require users to authenticate manually for certain older browsers.

    See Authentication Methods, for more information.

  • Enable your software to prompt users for authentication (manual authentication). This method allows Filtering Service to obtain the user information it needs if neither TMG nor a transparent identification agent provides the information.

    See Manual Authentication for more information.

Authentication Methods

TMG provides 4 methods of authentication:

Internet Explorer supports all of these authentication methods. Other browsers may support only Basic authentication.

When no authentication method is enabled in TMG, it does not pass your web protection software any information about who is making the Internet request. When this occurs, you can:

  • Apply computer and network policies.
  • Enable manual authentication to permit user-based policy enforcement.

    See Manual Authentication for more information.

  • Enable transparent identification to permit user-based policy enforcement.

    See Transparent identification, for more information.

Basic authentication

Basic authentication prompts users to authenticate (log on) each time they open a browser. This authentication allows TMG to obtain user identification, regardless of the browser, and send the information to Filtering Service, which manages Internet requests based on individual user and group policies.

If Basic authentication is enabled in combination with Integrated Windows authentication:

  • Users with Microsoft Internet Explorer browsers are transparently identified.
  • Users with other browsers are prompted for a user name and password.

Digest authentication

Digest authentication is a secure authentication method used in Windows Server 2003 domains. The features are the same as Basic authentication, but the user name and password are scrambled when they are sent from the browser to TMG. The user can authenticate to TMG without the user name and password being intercepted. User information is sent to Filtering Service, which then manages Internet requests based on individual user and group policies.

If Digest authentication is enabled in combination with Integrated Windows authentication:

  • Users with Microsoft Internet Explorer browsers are transparently identified.
  • Users with other browsers are prompted for a user name and password.

Integrated Windows authentication

Integrated Windows authentication provides secure authentication. With this authentication enabled, TMG obtains user identification transparently from browsers using Microsoft Internet Explorer. User information is sent to Filtering Service, which then applies user and group policies.

If your network has a mixture of Microsoft Internet Explorer browsers and other browsers, you can enable both Basic and Integrated Windows authentication, or Digest and Integrated Windows authentication. In either configuration:

  • Users with Microsoft Internet Explorer browsers are identified transparently.
  • Users with other browsers are prompted for a user name and password.
    Note: To transparently identify all users in a mixed browser environment, you can disable Basic or Digest authentication and use transparent identification (see Transparent identification) in conjunction with Integrated Windows authentication.

Client Certificate authentication

Client Certificate authentication identifies users requesting information about a website. If Client Certificate is used, TMG requests the certificate and verifies that it belongs to a client that is permitted access, before allowing the Internet request.

Note:

To use transparent identification, you must disable Client Certificate authentication.

Before changing authentication methods, consider the impact of the change on other TMG functions.

For more information about TMG authentication and how to configure these authentication methods, see Microsoft’s documentation.

Transparent identification

Transparent identification agents (DC Agent, Logon Agent, eDirectory Agent, and RADIUS Agent) allow Filtering Service to apply user and group based policies to Internet requests without prompting users to authenticate in the browser.

  • If TMG is not configured to send user information to Filtering Service, you can use a transparent identification agent to identify HTTP and non-HTTP users.
  • If TMG provides user information for HTTP(S) requests, you can still use a transparent identification agent to obtain user and group information for other protocol requests, managed by Network Agent.

See Installation Instructions: Forcepoint URL Filtering for instructions on installing individual components. See User Identification for information about configuring transparent identification agents.

Forcepoint URL Filtering also offers secure manual authentication with Secure Sockets Layer (SSL) encryption to protect user names and passwords being transmitted between client computers and Filtering Service. See Manual Authentication for more information and instructions on activating this feature.