Troubleshooting

Confirm that there is no unexpected entries. In the Content Gateway manager, go to Configure > Networking > ARM > General and examine the Redirection Rules.

Confirm that there is no unexpected matching of a filter.config rule. Among other purposes, filter.config rules can be used to bypass user authentication. See Content Gateway filtering rules.

Using the IP address of a user who is or is not being challenged as expected, walk through each rule, top to bottom, examining the settings to find the first match. Be meticulous in your analysis. A common problem is that the IP address falls within a too-broad IP address range.

If the rule uses an alias, confirm that the alias is present in the User Service of the primary domain controller.

For explicit clients configured to send traffic to a specific port, check both the rule and the configuration of the client’s browser.

If you are getting the match you expect, verify that the domain is reachable and that the user is a member of the domain. If yes, troubleshoot the problem at the authentication protocol level. For IWA, see Troubleshooting Integrated Windows Authentication.

If Content Gateway is a member of a proxy chain, verify that X-Forwarded-For headers are sent by the downstream proxy and read by Content Gateway.

• Use a packet sniffer to inspect inbound packets from the downstream proxy. Look for properly formed X-Forwarded-For headers.
• In the Content Gateway manager, go to Configure > My Proxy > Basic, scroll to the bottom of the page and verify that Read authentication from child proxy is enabled. If it’s not, select On, click Apply, and then restart Content Gateway.