Configure > Security > Access Control > Domains

The Domains tab appears in the Access Control list only if you have enabled Rule-Based Authentication in the Features table on Configure > My Proxy > Basic > General.

Use this tab to create and maintain a list of domains that can be specified in authentication rules. Use the Authentication Rules tab to define authentication rules.

Be sure to set the Global authentication options.

Important:

You must configure the Domains list before you configure authentication rules.

If you have never configured rule-based authentication, see Rule-Based Authentication, for complete information.

Domains
Domain List

An unordered list of domains that have been identified for use in authentication rules.

Use the Edit button to change some attributes associated with the domain.

Use the Delete or Unjoin button to remove a domain from the list.

The domain list is stored in auth_domains.config.

Domain list: New Domain button Use the New Domain button to add a domain to the Domains list. The screen is expanded to allow for specification of the domain.
  New Domain action
Domain Details: Domain Identifier

Specify a unique name for the domain. The name is used only by Content Gateway; it does not change any attribute of the actual domain or directory.

Important: You cannot change the domain identifier after it has been added to the list. To change the name, delete the entry from the list and re-add it with the new name.
Domain Details: Authentication Method

Specify the authentication method: IWA, Legacy NTLM, or LDAP. Radius is not supported.

When you select an authentication method, configuration options specific to that method are added to the page.

Important: You cannot change the authentication method after you add the domain to the list. To change the authentication method, delete the entry from the list and re-add the domain specifying the new authentication method.
Domain Details: Aliasing Specify an alias to send to the filtering service for all users who match this rule (optional). The alias must be static. It can be empty (blank). The alias must exist in the primary domain controller (the DC visible to the filtering service). See Unknown users and the ‘alias’ option.
IWA Domain Details These options are presented when IWA is specified as the authentication method.
Domain Name Specify the fully qualified domain name. For example: corp-domain.example.com
Administrator Name Specify a Windows Active Directory domain administrator user name.
Administrator Password

Specify the corresponding domain administrator password.

Note: The name and password are used only during the join and are not stored.
Domain Controller

Specify how to locate the domain controller:

  • Auto-detect using DNS
  • DC name or IP address

If the domain controller is specified by name or IP address, you can also specify backup domain controllers in a comma separated list.

Content Gateway Hostname

Specify the Content Gateway hostname.

Because IWA uses the hostname as a NetBIOS name when registering with Kerberos, the hostname cannot exceed 15 characters in length (a NetBIOS restriction), or 11 characters on Forcepoint appliances (which add 4 characters to the hostname to ensure that the hostname is unique across modules (Doms).

Warning: Once the domain is joined the hostname cannot be changed. If it is, IWA will immediately stop working until the domain is unjoined and then rejoined with the new hostname.
Join Domain Click Join Domain to join the domain.
Legacy NTLM Domain Details  
Domain Controller Specify the IP address and port number of the primary domain controller (if no port is specified, Content Gateway uses port 139), followed by a comma separated list of secondary domain controllers to be used for load balancing and failover.
Load Balance

Select the check box to balance the load across multiple NTLM DCs.

Note: When multiple domain controllers are specified, even if load balancing is disabled, when the load on the primary domain controller reaches the maximum number of connections allowed, new requests are sent to a secondary domain controller as a short-term failover provision, until such time that the primary domain controller can accept new connections.
LDAP Domain Details  
LDAP Server Name Specify the LDAP server name.
LDAP Server Port Specify the LDAP Server Port (optional) The default is 389.
LDAP Base Distinguished Name Specify the LDAP Base Distinguished Name.
LDAP Server Type Set the search filter to “sAMAccountName (MS AD)” or “userPrincipalName (MS AD)” for Active Directory, or “uid” for other directory services.
Bind Domain Name

Specify the LDAP bind account distinguished name. For example:

CN=John Smith,CN=USERS,DC=MYCOMPANY, DC=COM

The field length is limited to 128 characters.

If no value is specified, Content Gateway attempts to bind anonymously.

Bind Password Specify the LDAP bind account password.
Secure LDAP

Specify whether Content Gateway will use secure communication with the LDAP server.

If enabled, you must set the LDAP port to one of the secure ports: 636 or 3269.