Identification and authentication of hybrid users

Select Settings > Hybrid Configuration > Hybrid User Identification to configure how users are identified by the hybrid service, and to test and configure users’ connections to the service. You can configure multiple authentication or identification options for your hybrid users if required.

To ensure that the appropriate per-user or per-group policy is applied to hybrid users, whether from a filtered location or when off-site, you have the following options for identifying or authenticating the users transparently:

  • Forcepoint Web Security Endpoint is installed on client machines to provide transparent authentication, enforce use of the hybrid service, and pass authentication details to the hybrid service. See Forcepoint Web Security Endpoint software.
  • Single sign-on provides clientless transparent authentication via a gateway hosted on your network. See Integrating the hybrid service with a single sign-on identity provider.
  • Users at filtered locations (see Filtered locations) can be identified transparently via NTLM. This option is not available for off site users.
  • The hybrid service can be configured to automatically generate passwords for all users whose information is collected by Directory Agent (see Configure user access to the hybrid service).

If you do not enable any form of transparent identification or authentication:

  • Off-site users without a web endpoint client or single sign-on are prompted for an email address and password when they open a browser and connect to the Internet.
  • Other hybrid users are assigned policies based on their IP address if the web endpoint client, single sign-on, or NTLM identification are not available.

Indicate how the hybrid service should identify users requesting Internet access. These options are also used as a fallback if either the endpoint client software or single sign- on fails.

  • Mark Always authenticate users on first access to enable transparent NTLM identification, secure form authentication, or manual authentication when users first connect to the hybrid service.

    If you do not select this option and you have not enabled any other authentication methods for users in filtered locations, those users receive an IP address-based policy, and their identity does not appear in reports

    Internet Explorer and Firefox can be used for transparent user identification. Other browsers will prompt users for logon information.

    If Directory Agent is sending data to the hybrid service, using NTLM to identify users is recommended.

  • Mark Use NTLM to identify users when possible to use directory information gathered by Directory Agent to identify users transparently, if possible.

    When this option is selected, the hybrid service uses NTLM to identify the user if the client supports it, and otherwise provides a logon prompt.

    Important: When NTLM is used to identify users, do not use self- registration (configured on the User Access page under Registered Domains).
  • Mark Use secured form authentication to identify users to display a secure logon form to the end user. When the user enters their email address and hybrid service password, the credentials are sent over a secure connection for authentication.
    Note: If Ping Federate or Microsoft AD FS is used as the identity provider, single sign-on cannot fall back to secured form authentication.

    If you select this option, define how often users’ credentials are revalidated for security reasons under Session Timeout. The default options are 1, 7, 14, or 30 days. The same session timeout applies to single sign-on, if enabled.

    Note: It is possible to extend the Session Timeout options to 3 months, 6 months, and 12 months. To enable this extended feature, contact Support.

    If the users have not previously registered to use the service, they can do so by clicking Register on the logon form. To use this option, enable self-registration (configured on the User Access page under Registered Domains). Advise end users not to use the same password for hybrid service access that they use to log on to the network.

    If you do not select either the NTLM or the secured form authentication option, but Always authenticate users on first access is selected, users who could not be identified via another means see a logon prompt every time they access the Internet. Basic authentication is used to identify users who receive a logon prompt.

  • Specify whether or not a Welcome page is displayed when users who have not been identified via NTLM or who are not using secured form authentication open a browser to connect to the Internet. The Welcome page:
    • Provides a simple selection of common search engines to get the user started
    • Is used mainly by those who connect to the hybrid service from outside a filtered location (while working from home or traveling, for example)

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Once you have set up the hybrid service and configured user browsers to access the PAC file, you can use the links provided under Verify End User Configuration to make sure that end user machines have Internet access and are correctly configured to connect to the hybrid service.

If your hybrid service account has not been verified (which may mean that no email address has been entered on the Settings > General > Account page), the URLs are not displayed.