How to authenticate users whilst connecting transparently to the Web Gateway.
Thanks to the hard work of my colleagues at McAfee Support, we have put together a working rule that will enable transparent authentication with Active Directory.
To achieve this it is a two step process:
The first step in configuring transparent authentication you will need to download the rule attached (Authentication Server) and import this into your Rule Sets.
When you import the rule there may be conflicts that can be Auto-Solve by selecting Solve by referring to existing objects.
Next, move the rule into place in my case I placed this just below Common Rules which is incorrect but it served its purpose for my testing environment.
Once in place you want to go to the Authentication server request rule-set and edit the Authenticate user againts AD rule to point to your domain controller.
When completing the steps above your newly imported Rule-Set will look as follows:
If you want to determine how long will the Web Gateway Authentication Server hold users' credentials go to Policy > Settings > expand Authentication > select Auth Server Redirect and edit the Session TTL for the authentication server. By default the Authentication Server will store the credentials for a total of six minutes.
Now that Web Gateway is properly configured next we'll prepare Internet Explorer to trust and pass users' credentials to the Authentication Server.
To maintain brevity I have provided all the necessary steps in the attached Word document 'IE-AuthServer.doc'.
We feel good about this in that it will get all Authenticating Transparently, however we left some basic steps out assuming the following had already been configured:
Thank you for your time and please contact us if you have any questions or if you see anything missing on any of these steps.
on 11/21/10 2:14:02 AM CSTHow would you determine the URL for the Authentication Server or does
http://$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.ip"/>$:$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.port"/>$
take care of that for you?
Message was edited by: ittech on 12/16/10 3:05:39 PM ESTIf you are referring to the URL you need to enter in the trusted sites you will want to add the IP address of your Web Gateway as follows:
Please let me know if this answers your question?
Sorry for the confusion, I was reffering to the Authentication Server URL as seen in your second picture.
You can obtain this by downloading the Authentication_Sever rule
on 12/16/10 2:37:51 PM CSTSo I don't have to change that particular setting when I implement the rule?
That is for internal functionality and no need to edit this.
I discovered a possible issue with the "Authentication Server" ruleset which would prevent authentication from occuring for HTTPS sites. Attached is a corrected ruleset. See screenshot for more details. The reason it does not work is because Authentication server ruleset was loosley based on the Cookie auth ruleset, it contained some undeed criteria.
BEFORE:
AFTER:
Saul, could you replace the exising file with the one attached?
Also, I have asked that development add a default "Authentication Server" ruleset to the library, and asked to vet it.
~Jon
This totally fixed my HTTPS problem. Thanks!
Thanks Jon.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA