Configure > Security > Access Control > Domains
The Domains tab appears in the Access Control list only if you have enabled Rule-Based Authentication in the Features table on .
Use this tab to create and maintain a list of domains that can be specified in authentication rules. Use the Authentication Rules tab to define authentication rules.
Be sure to set the Global authentication options.
You must configure the Domains list before you configure authentication rules.
If you have never configured rule-based authentication, see Rule-Based Authentication, for complete information.
| Domains | |
| Domain List |
An unordered list of domains that have been identified for use in authentication rules. Use the Edit button to change some attributes associated with the domain. Use the Delete or Unjoin button to remove a domain from the list. The domain list is stored in auth_domains.config. |
| Domain list: New Domain button | Use the New Domain button to add a domain to the Domains list. The screen is expanded to allow for specification of the domain. |
| New Domain action | |
| Domain Details: Domain Identifier |
Specify a unique name for the domain. The name is used only by Content Gateway; it does not change any attribute of the actual domain or directory. Important: You cannot change the domain identifier after it has been added to the list. To change the name, delete the entry from the list and re-add it with the new
name.
|
| Domain Details: Authentication Method |
Specify the authentication method: IWA, Legacy NTLM, or LDAP. Radius is not supported. When you select an authentication method, configuration options specific to that method are added to the page. Important: You cannot change the authentication method after you add the domain to the list. To change the authentication method, delete the entry from the list and re-add
the domain specifying the new authentication method.
|
| Domain Details: Aliasing | Specify an alias to send to the filtering service for all users who match this rule (optional). The alias must be static. It can be empty (blank). The alias must exist in the primary domain controller (the DC visible to the filtering service). See Unknown users and the ‘alias’ option. |
| IWA Domain Details | These options are presented when IWA is specified as the authentication method. |
| Domain Name | Specify the fully qualified domain name. For example: corp-domain.example.com |
| Administrator Name | Specify a Windows Active Directory domain administrator user name. |
| Administrator Password |
Specify the corresponding domain administrator password. Note: The name and password are used only during the join and are not stored.
|
| Domain Controller |
Specify how to locate the domain controller:
If the domain controller is specified by name or IP address, you can also specify backup domain controllers in a comma separated list. |
| Content Gateway Hostname |
Specify the Content Gateway hostname. Because IWA uses the hostname as a NetBIOS name when registering with Kerberos, the hostname cannot exceed 15 characters in length (a NetBIOS restriction), or 11 characters on Forcepoint appliances (which add 4 characters to the hostname to ensure that the hostname is unique across modules (Doms). Warning: Once the domain is joined the hostname cannot be changed. If it is, IWA will immediately stop working until the domain is unjoined and then rejoined with the new
hostname.
|
| Join Domain | Click Join Domain to join the domain. |
| Legacy NTLM Domain Details | |
| Domain Controller | Specify the IP address and port number of the primary domain controller (if no port is specified, Content Gateway uses port 139), followed by a comma separated list of secondary domain controllers to be used for load balancing and failover. |
| Load Balance |
Select the check box to balance the load across multiple NTLM DCs. Note: When multiple domain controllers are specified, even if load balancing is disabled, when the load on the primary domain controller reaches the maximum number of connections
allowed, new requests are sent to a secondary domain controller as a short-term failover provision, until such time that the primary domain controller can accept new
connections.
|
| LDAP Domain Details | |
| LDAP Server Name | Specify the LDAP server name. |
| LDAP Server Port | Specify the LDAP Server Port (optional) The default is 389. |
| LDAP Base Distinguished Name | Specify the LDAP Base Distinguished Name. |
| LDAP Server Type | Set the search filter to “sAMAccountName (MS AD)” or “userPrincipalName (MS AD)” for Active Directory, or “uid” for other directory services. |
| Bind Domain Name |
Specify the LDAP bind account distinguished name. For example: CN=John Smith,CN=USERS,DC=MYCOMPANY, DC=COM The field length is limited to 128 characters. If no value is specified, Content Gateway attempts to bind anonymously. |
| Bind Password | Specify the LDAP bind account password. |
| Secure LDAP |
Specify whether Content Gateway will use secure communication with the LDAP server. If enabled, you must set the LDAP port to one of the secure ports: 636 or 3269. |