Configure > Security > Access Control > Authentication Rules

Updates the table to display the current rules in the auth_rules.config file.

Opens the authentication rule editor.

Lists, in order, the current rule set. When user authentication is performed, the list is traversed, top- down and the first match is applied.

Select a rule to edit it.

The arrows to the left of the box allow you to move the selected rule up or down in the list.

The “X” button deletes the selected rule. Rules cannot be more than 2048 characters.

Specifies whether the rule is enabled (active) or disabled after the rule is saved and Content Gateway is restarted.

You can create a rule and not enable it until other elements of your network are ready to support it.

Specifies IP addresses or IP address ranges for this rule (must be entered without any spaces).

Example: 10.1.1.1 or 0.0.0.0-255.255.255.255 or

10.1.1.1,20.2.2.2,3.0.0.0-3.255.255.255

The comma separated list can contain up to:

• 64 IPv4 addresses
• 32 IPv4 address ranges
• 24 IPv6 addresses
• 12 IPv6 address ranges

Specifies the inbound port for traffic when Content Gateway is deployed as an explicit proxy. If undefined, all ports match, as configured on Configure > Protocols > HTTP > General.

Transparent proxy deployment should leave this field undefined.

Specifies 1 or more regular expressions used to match text in the User-Agent string, for example to match common browsers.

Regexes must be POSIX-compliant. The “^” operator is not supported.

When the field is empty, all User-Agent values match. You can edit the field directly.

To insert a predefined regex for a common browser, select it from the drop down list and click Add.

Multiple regexes can be specified. Use the “|” character to separate entries (logical ‘or’).

Click Enabled to enable client certificate authentication.

Select Use the next selected authentication method if Client Certificate authentication fails to use one of the other authentication methods if certificate authentication fails for a user.

See Client certificate authentication for details.

Specifies 1 or more domains to use for authentication.

Select a domain from the Domains drop down list (populated from the Domains List), and click Include to add it to the list.

If you add more than one domain, you can set the order by selecting an entry and using the up and down arrows. You can delete a selected domain with the “X” button.

Best practice: If you know what domain a set of users belongs to, create a rule just for that group.

Best practice: Place the rule with the largest number of users authenticating with known domain membership at the top of the list. These are the fastest authentications.

Best practice: If you don’t know what domain a set of users belongs to, specify the fewest number of domains needed to authenticate the users in the set.

Best practice: It is always better to create targeted rules because attempting to authenticate against a large set of domains can introduce noticeable latency.

When user authentication is rule-based with a domain list:

• For each user, the first successful authentication is cached and used in subsequent authentications. If IP address caching is configured, an IP address surrogate is cached. If Cookie Mode is configured, a cookie surrogate is cached.

For Fail Open:

• If Enabled only for critical service failures is selected, the fail open setting is not applied. The user continues to be prompted for credentials until there is a timeout.
• If Enabled for all authentication failures, including incorrect password is selected, after trying basic credentials with every domain in the list, fail open is applied.

Click Enabled for HTTPS/HTTP Authentication page to redirect users to a customizable web portal page for authentication.

See Authentication using Captive Portal for details.

Applies the configuration changes.