Multiple realm use case 1: Domain acquired; explicit proxy

This describes a common case in which a second domain is added to an existing, single-domain environment.Content Gateway is an explicit proxy; clients use a PAC file.

An organization—let’s call them Quality Corp—uses a software installation of Content Gateway. They have one domain (QCORP), and one domain controller. They use NTLM to authenticate users.

Quality Corp acquires New Corp who has their own domain (NCORP) and domain controller. They use LDAP to authenticate users.

Quality Corp would like to manage the combined employees in a single domain, but they aren’t ready to make the infrastructure changes. Until they are, they would like to

have a separate use policy for New Corp users (i.e., not use the “default” user on the QCORP domain).

Rule-based authentication makes this possible.

To configure the solution, Quality Corp would:

Steps

  1. Enable Rule-Based Authentication.
  2. Add a second, non-default HTTP port (Configure > Protocols > HTTP > General). This port will be used by all members of NCORP.
  3. Create a PAC file for members of NCORP that causes them to connect to Content Gateway on the new, second port.
  4. Create authentication rules, one each for the QCORP and NCORP domains:
    1. On Configure > Security > Access Control > Domains, add the QCORP and NCORP domains to the Domains list.

      When adding NCORP, use the Aliasing option to specify “NCorpUser” for use in policy determination.

    2. On Configure > Security > Access Control > Authentication Rules, create an NCORP rule for connections on the second port. You must know the IP addresses/ranges of New Corp users, and specify the NCORP domain.
    3. Define the QCORP rule to handle all other connections.
  5. In the Web module of the Forcepoint Security Manager, add “NCorpUser” to the QCORP domain as a valid user and create policy for that user.

    At this point, everyone connecting to Content Gateway from NCORP is authenticated against the NCORP domain controller and gets the group policy associated with NCorpUser. Note that no individual user-based policy or features, such as quota time, are possible in this scenario. Transactions are logged as NCorpUser. This is all performed with no effect on the authentication, policy, or logging of users on the QCORP domain.