How to authenticate users whilst connecting transparently to the Web Gateway.
Thanks to the hard work of my colleagues at McAfee Support, we have put together a working rule that will enable transparent authentication with Active Directory.
To achieve this it is a two step process:
- Configuring Web Gateway.
- Configuring Internet Explorer.
The first step in configuring transparent authentication you will need to download the rule attached (Authentication Server) and import this into your Rule Sets.
- Go to Policy > Rules Sets > Add > Rule Set from Library > Import from file.. >browse to the location of the rule > select and Open the rule.
When you import the rule there may be conflicts that can be Auto-Solve by selecting Solve by referring to existing objects.
Next, move the rule into place in my case I placed this just below Common Rules which is incorrect but it served its purpose for my testing environment.
Once in place you want to go to the Authentication server request rule-set and edit the Authenticate user againts AD rule to point to your domain controller.
- Go to Policy > Rule Sets > expand Authentication Server > select Authentication server request > select the Authenticate user againts AD rule > and click Edit.
- In the Edit Rule box go to Rule Criteria > select the Authentication.Authenticate criteria and click Edit.
- In the Edit Criteria box go to > Settings (For 'Authentication') and using the dropdown select your configured Domain Controller or add one using the Add button below.
- Once done click OK to close from the Edit Criteria box > click Finish to close the Edit Rule box > Save Changes.
When completing the steps above your newly imported Rule-Set will look as follows:
If you want to determine how long will the Web Gateway Authentication Server hold users' credentials go to Policy > Settings > expand Authentication > select Auth Server Redirect and edit the Session TTL for the authentication server. By default the Authentication Server will store the credentials for a total of six minutes.
Now that Web Gateway is properly configured next we'll prepare Internet Explorer to trust and pass users' credentials to the Authentication Server.
To maintain brevity I have provided all the necessary steps in the attached Word document 'IE-AuthServer.doc'.
We feel good about this in that it will get all Authenticating Transparently, however we left some basic steps out assuming the following had already been configured:
- Joining the Web Gateway to the Windows Domain Membership.
- Configuring the Web Gateway for Transparent Filtering.
Thank you for your time and please contact us if you have any questions or if you see anything missing on any of these steps.
on 11/21/10 2:14:02 AM CST
I discovered a possible issue with the "Authentication Server" ruleset which would prevent authentication from occuring for HTTPS sites. Attached is a corrected ruleset. See screenshot for more details. The reason it does not work is because Authentication server ruleset was loosley based on the Cookie auth ruleset, it contained some undeed criteria.
BEFORE:
AFTER:
Saul, could you replace the exising file with the one attached?
Also, I have asked that development add a default "Authentication Server" ruleset to the library, and asked to vet it.
~Jon
