Content Gateway user authentication

Content Gateway supports several methods of authenticating users before their requests are allowed to proceed. These methods can be used together with Forcepoint Web Security user identification features to provide fallback should user authentication fail or become unavailable.

Important: Use the directory service used by Web Security.

In both explicit and transparent proxy modes, Content Gateway supports user authentication with:

  • Integrated Windows Authentication (Kerberos with SPNEGO to NTLM)
  • Legacy NTLM authentication (NTLMSSP)
  • LDAP authentication
  • RADIUS authentication

Content Gateway also supports combinations of Integrated Windows Authentication (IWA), Legacy NTLM, and LDAP using:

  • Rule-Based Authentication

Rule-Based Authentication summary

Rule-Based Authentication is an ordered list of authentication rules. When a request is processed, the list is traversed top to bottom and the first match is applied.

Rules specify:

  1. How to match a client. By:
    • IP address
    • Inbound proxy port (explicit proxy only; do not use port 80)
    • User-Agent value
    • A combination of the above
  2. The domain or ordered list of domains to authenticate against. With a list, the first successful authentication is remembered and used in subsequent authentications for that user.
  3. Whether a customizable web portal page should be used for authentication.

Multiple Realm Networks

Rule-Based Authentication supports multiple realm network structures in which Windows Active Directory domains do not have mutual trust relationships and therefore require that each domain’s members be authenticated by a domain controller within their domain. In this environment rules are created that specify:

  1. Members of the realm (untrusted domain) by IP address or proxy port
  2. The realm (domain) they belong to

Authenticating when domain membership is unknown

Some organizations do not always know what domain a user belongs to. For example, this can happen when organizations are rapidly acquiring new businesses. The unknown domain membership problem can be handled in rule-based authentication by creating a rule (or rules) for IP address lists or ranges that also specifies an ordered list of domains to attempt to authenticate against. The first successful authentication is remembered and used in later authentications.

Authentication based on User-Agent value

One or more User-Agent values can be specified in an authentication rule. Often this is a list of browsers. When the

User-Agent value matches a rule, authentication is performed against the specified domain(s). If the User-Agent value doesn’t match any rule, and no rule matches based on other values, no authentication is performed (this is always true; if no rule matches, no authentication is performed).