How to authenticate users whilst connecting transparently to the Web Gateway.
Thanks to the hard work of my colleagues at McAfee Support, we have put together a working rule that will enable transparent authentication with Active Directory.
To achieve this it is a two step process:
The first step in configuring transparent authentication you will need to download the rule attached (Authentication Server) and import this into your Rule Sets.
When you import the rule there may be conflicts that can be Auto-Solve by selecting Solve by referring to existing objects.
Next, move the rule into place in my case I placed this just below Common Rules which is incorrect but it served its purpose for my testing environment.
Once in place you want to go to the Authentication server request rule-set and edit the Authenticate user againts AD rule to point to your domain controller.
When completing the steps above your newly imported Rule-Set will look as follows:
If you want to determine how long will the Web Gateway Authentication Server hold users' credentials go to Policy > Settings > expand Authentication > select Auth Server Redirect and edit the Session TTL for the authentication server. By default the Authentication Server will store the credentials for a total of six minutes.
Now that Web Gateway is properly configured next we'll prepare Internet Explorer to trust and pass users' credentials to the Authentication Server.
To maintain brevity I have provided all the necessary steps in the attached Word document 'IE-AuthServer.doc'.
We feel good about this in that it will get all Authenticating Transparently, however we left some basic steps out assuming the following had already been configured:
Thank you for your time and please contact us if you have any questions or if you see anything missing on any of these steps.on 11/21/10 2:14:02 AM CST
How would you determine the URL for the Authentication Server or does
http://$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.ip"/>$:$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.port"/>$
take care of that for you?Message was edited by: ittech on 12/16/10 3:05:39 PM EST
I discovered a possible issue with the "Authentication Server" ruleset which would prevent authentication from occuring for HTTPS sites. Attached is a corrected ruleset. See screenshot for more details. The reason it does not work is because Authentication server ruleset was loosley based on the Cookie auth ruleset, it contained some undeed criteria.
Saul, could you replace the exising file with the one attached?
Also, I have asked that development add a default "Authentication Server" ruleset to the library, and asked to vet it.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center