Configure > Security > Access Control > Global Configuration Options
Use this page to specify global options for:
- The fail open/fail closed action to take when user authentication fails
- Credential caching
- For transparent proxy, an alternate hostname for the proxy that all clients on the network can resolve. Required.
- Cookie sharing
For more information, see Global authentication options.
Global Configuration Options
Fail Open |
Disabled – Prevents requests from proceeding to the Internet when an authentication failure occurs. Enabled only for critical service failures (default) – Allows requests to proceed if authentication fails because there is no response from the domain controller or because the client is sending badly formatted messages. Enabled for all authentication failures – Allows requests to proceed for all authentication failures, including password failures. When a fail open setting is enabled, if a Forcepoint Web Security transparent user identification agent is configured an attempt is made to identify the requester and apply user-based policy. Otherwise, if a policy has been assigned to the client’s IP address, that policy is applied. Otherwise, the Default policy is applied. Important:
When user authentication is rule-based with a domain list:
The Fail Open setting does not apply when IWA is the authentication method and the client fails to retrieve a kerberos ticket from the domain controller (DC) because the DC is down. The Fail Open setting does apply with IWA when IWA falls back to NTLM and authentication fails. |
Credential Caching: Caching Method |
Cache using IP address only – specifies that all credentials are cached with IP address surrogates. This is the recommended method when all clients have unique IP addresses. Cache using Cookies only – specifies that all credentials are cached with cookie surrogates. This is recommended when all clients share IP addresses, as with multi-host servers such as Citrix servers, or when traffic is NATed by a device that is forwarding traffic to Content Gateway. Cache using both IP addresses and Cookies – specifies to use cookie surrogates for the IP addresses listed in the cookie caching list, and to use IP address surrogates for all other IP addresses. This is recommended when the network has a mix of clients, some with unique IP addresses and some using multi- user hosts or that are subject to NATing. The cookie caching list is a comma separated list that can contain up to:
For a description of surrogate credentials, see Surrogate credentials.
|
Credential Caching: Time-To-Live | Specifies the duration, in minutes, that an entry in the cache is retained. When the TTL expires, the entry is removed and the next time that the user submits a request, the user is authenticated. If the authentication succeeds, an entry is placed in the cache. |
Cookie Expiration | Specifies whether a user is allowed to re-access the system without authentication until the cookie is no longer valid. When enabled, cookies expire when the user ends a session |
Purge LDAP cache on authentication failure | Specifies that when an LDAP user authentication failure occurs, Content Gateway will delete the authorization record for that client from the LDAP cache. |
Redirect Hostname |
For transparent proxy, specifies an alternate hostname for the proxy that all clients on the network can resolve. Required. Valid characters for Redirect HostName are: A-Z, a-z,0-9 and - . For complete information see Redirect Options. |
Cookie Sharing |
When cookie caching is enabled, cookie surrogates can be shared across all nodes in a cluster. Select and import both private and public keys and then make a backup of them. Used with load balancing, the entry in Redirect Hostname must be the FQDN of the load balancer. Note:
For more information, see Cookie Sharing. |