Configuring end-user authentication with firewall redirect

Two types of user authentication are supported for firewall redirect: NTLM and basic authentication.

NTLM identification is seamless, and uses the end user’s NTLM credentials to identify them to the service.
Basic (manual) authentication uses the end user’s email address and password. Users receive an authentication prompt when they attempt to navigate to a website.
Note: Authentication is an account-level setting which is applied to all users. You cannot disable authentication for one set of users (for example, on a guest network), while enabling it for others.

To enable authentication:

Steps

Navigate to the Web > Policies page in the cloud portal and select a policy.
Select the Access Control tab for the policy, and select Always authenticate users on the first access.
If you are using SSL decryption, also navigate to the Web > Block & Notification Pages page and mark the Use Forcepoint LLC certificate to serve... check box. You must also install the Forcepoint root certificate on all end user machines in your environment to enable SSL decryption and allow the authentication page and block pages to be displayed for HTTPS sites.
If this setting is not enabled:
- Users accessing HTTPS sites are allowed to browse anonymously.
- When a user navigates to a blocked URL, the connection is closed, with no block page displayed.
Add the following URLs to the local intranet zone in users’ browsers:
```
http://proxy-login.blackspider.com
https://ssl-proxy-login.blackspider.com
```
You must add the URL proxy-login.blackspider.com to the registry locations listed below to ensure that this site is excluded from the Chrome https upgrades:
- Registry key for Edge: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\HttpAllowlist
- Registry key for Chrome: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\HttpAllowlist
For information on how to do this for various browsers, see the knowledge base article Configuring browsers for NTLM identification.