I am new to web filtering and am currently setting up a MWG7 install. We would like to use WCCP protocol to connect to our Cisco ASA and NTLM to integrate the Authentication to Active Directory. We are a college campus and have users who are unauthenticated on our network and users who are authenticated (separate vlans). Currently our WiFi is open (I know, I know.. I am new to the college and my next project is to lock down the wireless network). In the ideal implementation I would like users who log on to domain computers to not have to authenticate for internet access through the WebGateway and get a specific ruleset as they have used the AD credentials to log on to the computer. I would like students and guests to our network to not have to authenticate as well, but have a different rule set. I want to log the users activity that have logged into the domain and am not as concerned about those who are unauthenticated. I believe I have figured out the rules sets and lists by reading other members configurations.
The question is if my setup with WCCP and NLTM will auto process users who have logged on to domain computers and if not how should I configure the WebGateway to our network?
Please take a look at this thread.
It will help with your question and make sure to read all of it hence its had a revision of the Rule.
Cheers-on 2/16/11 9:51:49 AM CST
Thanks Saul. Is this the only way to make this work? Most of our users use firefox (or even Safari and Chrome) as a web browser. Also this would not help our guests and students accessing the internet, would it? Should I be looking at another configuration, other then WCCP?
We want this to be as transparent as possible. It is very political here and this would not go over well.
Safari would not be supported for transparent NTLM authentication. The user would get a pop-up box asking to authenticate.
Firefox will work but will needs to be setup to pass NTLM authentication if you want it to work transparently. Otherwise it will pop a box to authenticate as well. A simple add on is NTLM Auth.
Chrome will work just fine. It uses IE settings.
IE should work just fine without having to do anything. It already trusts intranet sites and will pass authentication.
Handling the unauthenticated students would be easy because they would be on a separate vlan. You can make a rule that says: If this vlan (ip address range) then do not authenticate. Then any browser they use will work fine.Message was edited by: jont717 on 2/16/11 4:59:15 PM CST
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center