Multiple realm use case 3: Temporary domain added; transparent proxy

This describes a common case in which a second, special-purpose domain is added to an existing, single-domain environment. Content Gateway is a transparent proxy using WCCP v2.

An organization—let’s call it Creative Corp—uses a software installation of Content Gateway. They have one domain (CCORP), and one domain controller. They use NTLM to authenticate users.

Creative Corp is about to launch a new product and wants to make a big splash. They decide to have an open house complete with kiosks, demonstrations, and presenters. The kiosks only need the default Internet policy to properly demonstrate the new product. The IT manager wants to keep the kiosk network as walled off from the corporate intranet as possible. In this scenario, logging individual users isn’t a requirement.

The Rule-Based Authentication feature makes this possible.

To configure the solution, Creative Corp would:

Steps

  1. Build a new, temporary network complete with its own domain controller. Let’s call this domain CTEMP.
  2. Add one or more users to CTEMP. They can either match one-to-one with existing users on the primary domain, or be one or more generic users for use by the presenters.
  3. Redirect Internet traffic on CTEMP to Content Gateway with WCCP v2.
  4. Enable Rule-Based Authentication.
  5. Create authentication rules, one each for the CTEMP and CCORP domains:
    1. On Configure > Security > Access Control > Domains, add the CTEMP domain, enable Aliasing and leave the name field blank. This will have the result of applying the Default policy to all users of CTEMP.
    2. Add the CCORP domain to the Domains list.
    3. On Configure > Security > Access Control > Authentication Rules, create a CTEMP rule to apply to all connections coming from the IP address range assigned to the CTEMP domain.
    4. Define the CCORP rule to handle all other connections.

    At this point, anyone using the Internet on one of the kiosks is authenticated against the CTEMP network and has the Default policy applied to their requests.