Multiple realm use case 2: Internal domain added; explicit proxy

This describes a common case in which a second domain is added to an existing, single-domain environment. Content Gateway is an explicit proxy; clients use a PAC file.

An organization—let’s call it BigStars—uses a software installation of Content Gateway. They have one domain (BIG), and one domain controller. They use NTLM to authenticate users.

A group in the company converts to Apple computers, which can’t be authenticated with NTLM. The IT group installs an LDAP server and creates a new domain— BIGAPL—for the Apple users.

Because this group of users previously existed and was managed on the primary domain (BIG), the IT department expects that both user-based policy and logging still apply.

The Rule-Based Authentication feature makes this possible.

To configure the solution, BigStars would:

Steps

  1. Verify that every user in BIGAPL is also in BIG with the exact same user name.
  2. Enable Rule-Based Authentication.
  3. Add a second, non-default HTTP port (Configure > Protocols > HTTP). This port will be used by all members of BIGAPL.
  4. Create a PAC file for members of BIGAPL that causes them to connect to Content Gateway on the new, second port.
  5. Create authentication rules, one each for the BIGAPL and BIG domains.
    1. On Configure > Security > Access Control > Domains, add the BIGAPL and BIG domains to the Domains list.
    2. On Configure > Security > Access Control > Authentication Rules, create a BIGAPL rule for connections on the second port.
    3. Define the BIG rule to handle all other connections.

    At this point, all members of BIGAPL are authenticated with LDAP, but maintain their individual policy as specified by their existing NTLM identities. Logs and reports also refer to that same user.