Troubleshooting

When rule-based authentication doesn’t produce the expected results, it is recommended that you troubleshoot the problem in the following order:

Steps

  1. Check Redirection Rules
    Confirm that there is no unexpected entries. In the Content Gateway manager, go to Configure > Networking > ARM > General and examine the Redirection Rules.
  2. Check the rules in filter.config
    Confirm that there is no unexpected matching of a filter.config rule. Among other purposes, filter.config rules can be used to bypass user authentication. See Content Gateway filtering rules.
  3. Check rule matching

    Using the IP address of a user who is or is not being challenged as expected, walk through each rule, top to bottom, examining the settings to find the first match. Be meticulous in your analysis. A common problem is that the IP address falls within a too-broad IP address range.

    If the rule uses an alias, confirm that the alias is present in the User Service of the primary domain controller.

    For explicit clients configured to send traffic to a specific port, check both the rule and the configuration of the client’s browser.

  4. Check the domain
    If you are getting the match you expect, verify that the domain is reachable and that the user is a member of the domain. If yes, troubleshoot the problem at the authentication protocol level. For IWA, see Troubleshooting Integrated Windows Authentication.
  5. When Content Gateway is in a proxy chain

    If Content Gateway is a member of a proxy chain, verify that X-Forwarded-For headers are sent by the downstream proxy and read by Content Gateway.

    • Use a packet sniffer to inspect inbound packets from the downstream proxy. Look for properly formed X-Forwarded-For headers.
    • In the Content Gateway manager, go to Configure > My Proxy > Basic, scroll to the bottom of the page and verify that Read authentication from child proxy is enabled. If it’s not, select On, click Apply, and then restart Content Gateway.