cancel
Showing results for 
Search instead for 
Did you mean: 
salanis
Level 10

How to Configure Transparent Authentication with Active Directory

How to authenticate users whilst connecting transparently to the Web Gateway.

Thanks to the hard work of my colleagues at McAfee Support, we have put together a working rule that will enable transparent authentication with Active Directory.

To achieve this it is a two step process:

  1. Configuring Web Gateway.
  2. Configuring Internet Explorer.

The first step in configuring transparent authentication you will need to download the rule attached (Authentication Server) and import this into your Rule Sets.

  • Go to Policy > Rules Sets > Add > Rule Set from Library > Import from file.. >browse to the location of the rule > select and Open the rule.

When you import the rule there may be conflicts that can be Auto-Solve by selecting Solve by referring to existing objects.

Next, move the rule into place in my case I placed this just below Common Rules which is incorrect but it served its purpose for my testing environment.

Once in place you want to go to the Authentication server request rule-set and edit the Authenticate user againts AD rule to point to your domain controller.

  • Go to Policy > Rule Sets > expand Authentication Server > select Authentication server request > select the Authenticate user againts AD rule > and click Edit.
  • In the Edit Rule box go to Rule Criteria > select the Authentication.Authenticate criteria and click Edit.
  • In the Edit Criteria box go to > Settings (For 'Authentication') and using the dropdown select your configured Domain Controller or add one using the Add button below.
  • Once done click OK to close from the Edit Criteria box > click Finish to close the Edit Rule box > Save Changes.

When completing the steps above your newly imported Rule-Set will look as follows:

trans-auth-rule.jpg

If you want to determine how long will the Web Gateway Authentication Server hold users' credentials go to Policy > Settings > expand Authentication > select Auth Server Redirect and edit the Session TTL for the authentication server. By default the Authentication Server will store the credentials for a total of six minutes.

trans-auth.jpg

Now that Web Gateway is properly configured next we'll prepare Internet Explorer to trust and pass users' credentials to the Authentication Server.


To maintain brevity I have provided all the necessary steps in the attached Word document 'IE-AuthServer.doc'.

We feel good about this in that it will get all Authenticating Transparently, however we left some basic steps out assuming the following had already been configured:

  1. Joining the Web Gateway to the Windows Domain Membership.
  2. Configuring the Web Gateway for Transparent Filtering.

Thank you for your time and please contact us if you have any questions or if you see anything missing on any of these steps.

on 11/21/10 2:14:02 AM CST
0 Kudos
42 Replies
ittech
Level 13

Re: How to Configure Transparent Authentication with Active Directory

How would you determine the URL for the Authentication Server or does

http://$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.ip"/>$:$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.port"/>$

take care of that for you?

Message was edited by: ittech on 12/16/10 3:05:39 PM EST
0 Kudos
salanis
Level 10

Re: How to Configure Transparent Authentication with Active Directory

If you are referring to the URL you need to enter in the trusted sites you will want to add the IP address of your Web Gateway as follows:

http://ip.address.

https://ip.address

Please let me know if this answers your question?

0 Kudos
ittech
Level 13

Re: How to Configure Transparent Authentication with Active Directory

Sorry for the confusion, I was reffering to the Authentication Server URL as seen in your second picture.

0 Kudos
salanis
Level 10

Re: How to Configure Transparent Authentication with Active Directory

You can obtain this by downloading the Authentication_Sever rule

on 12/16/10 2:37:51 PM CST
0 Kudos
ittech
Level 13

Re: How to Configure Transparent Authentication with Active Directory

So I don't have to change that particular setting when I implement the rule?

0 Kudos
salanis
Level 10

Re: How to Configure Transparent Authentication with Active Directory

That is for internal functionality and no need to edit this.

0 Kudos
McAfee Employee

Re: How to Configure Transparent Authentication with Active Directory

I discovered a possible issue with the "Authentication Server" ruleset which would prevent authentication from occuring for HTTPS sites. Attached is a corrected ruleset. See screenshot for more details. The reason it does not work is because Authentication server ruleset was loosley based on the Cookie auth ruleset, it contained some undeed criteria.

BEFORE:

with_not_equals_connect.png

AFTER:

removed_not_equals_connect.png

Saul, could you replace the exising file with the one attached?

Also, I have asked that development add a default "Authentication Server" ruleset to the library, and asked to vet it.

~Jon

0 Kudos
ittech
Level 13

Re: How to Configure Transparent Authentication with Active Directory

This totally fixed my HTTPS problem. Thanks!

0 Kudos
salanis
Level 10

Re: How to Configure Transparent Authentication with Active Directory

Thanks Jon.

0 Kudos