Adding custom authentication rules for the hybrid service

Use the Custom Authentication > Add Custom Authentication Rule page to define one or more user agents, domains, or URLs that are failing to authenticate with the hybrid service.

Steps

  1. Enter a Name for the rule. The name must be between 1 and 50 characters long, and cannot include any of the following characters:

    * < > { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

    Names can include spaces, dashes, and apostrophes.

  2. Define the User agents, if any, for the rule:
    • To match against all user agent strings, select All user agents. You might do this to set up a custom rule that applies to all browsers on all operating systems in your organization.
    • If the application does not send a user agent string to the Internet, select No user agent header sent.

      This option matches against all applications that do not send a user agent. In this case, refine the rule by entering one or more URLs or domains in the Destinations field.

    • To apply the custom authentication to one or more user agents, select Custom user agents. Enter each user agent on a separate line. Use the asterisk wildcard to match one line to multiple user agent strings, for example Mozilla/5.0*.
      Note: If you are creating a new rule directly from the User Agents by Volume report, the user agents you selected in the report are already entered in this field.
  3. Define the URLs or domains (if any) for the rule in the Destinations field:
    • To match against all URLs and domains, select All destinations. You might want to do this if you are setting up a custom rule that applies to a specific user agent that accesses multiple sites.
    • To apply the custom authentication to one or more specific domains or URLs, select Custom destinations. Enter each URL or domain on a separate line.

      URLs must include the protocol portion (http://) at the beginning and a forward slash (/) at the end (for example, http://www.google.com/). If these elements are not present, the string is treated as a domain. Domains cannot include a forward slash at the end (for example, mydomain.com).

      Use the asterisk wildcard to match one line to multiple destinations: for example, entering *.mydomain.com would match against all domains ending in “mydomain.com.”

  4. Select the Authentication method for the custom rule.
    Note: The authentication method you select must be enabled on the Hybrid User Identification page.
    • Default: Uses your default authentication method.
    • NTLM: Uses NTLM identification for the specified user agents and destinations. If an application is not NTLM-capable, basic authentication is used instead.
    • Secure form authentication: Uses secure form authentication to display a secure logon form to the end user. For more information, see Identification and authentication of hybrid users.
    • Basic authentication: Uses the basic authentication mechanism supported by many Web browsers. No welcome page is displayed. For more information about basic authentication, see Identification and authentication of hybrid users.
    • Welcome page: Displays a welcome page to users before they use basic authentication to proceed.
    • None: Bypasses all authentication and identification methods in the hybrid service. Select this option for Internet applications that are incapable of authentication.
  5. Optionally, select Bypass content scanning to bypass all filtering for the specified user agents and destinations.
    Important: Select this option only for applications and sites that for some reason do not work well with the hybrid service, and that you trust implicitly. Selecting this option could allow viruses and other malware into your network.
  6. Click OK to return to the Custom Authentication page, and then click OK again to cache your changes. Changes are not implemented until you click Save and Deploy.