Configuring Active Directory Services Authentication Policies Parent topic

You can customize your authentication strategy by configuring authentication policies for Active Directory Services.

Procedure

  1. Go to AdministrationActive Directory ServicesAuthentication Policy.
  2. Click on Add.
  3. Enter a name for the authentication policy and optionally add a description.
  4. Click on the Enable button to enable the policy.
  5. Configure Network objects by selecting one of the following:
    • Any
      For the authentication policy to affect all network objects.
    • Selected network objects
      For the authentication policy to affect only specific network objects and then move one or more objects from the available network objects box to the selected network objects box.
      You can create a new network object to include in the policy by clicking Add new network object.
      See Managing Network Objects.
  6. (Optional) Select Exceptions to configure network object exceptions and then move one or more objects from the available network objects box to the exception network objects box.
    Authentication policy is not applied to network objects in the exception list.
  7. Under Authentication mode, select one of the available modes:
    • None
      Do not use authentication, use the client IP for policy matching.
    • Standard
      Authenticates only HTTP traffic. Only authenticates browser traffic (by user-agent).
      Uses Kerberos/NTLM/Basic for transparent authentication. If transparent authentication fails, opens the Captive Portal page for users to authenticate.
    • Standard Enforce
      Authenticates all traffic (not just browser traffic).
      Authenticates both HTTP and HTTPS/HTTP2 traffic. For HTTPS/HTTP2 traffic, Deep Discovery Web Inspector does force decryption before authentication and resigns it using the CA certificate of the default HTTPS Inspection policy if the traffic does not match any other customized HTTPS Inspection policy.
      Note
      Note
      If the CA certificate of the default HTTPS policy is not trusted by clients, standard enforce authentication might fail, even if the default HTTPS policy is disabled.
      To prevent this from happening, make sure that the CA certificate of the default HTTPS policy is trusted by clients.
    • X-header
      Uses the X-Authenticated-User header from the downstream proxy to find the client's user name. If there is no header, uses the client IP for policy matching.
      Note
      Note
      • Deep Discovery Web Inspector supports only the following format for X-Authenticated-User:
        [Netbios Domain Name]\[sAMAccountName] with Base64 encoded
      • Example: X-Authenticated-User: Mms4YWxwaGFcYXV0byB1c2VyMw==
        In this example, the user is: 2k8alpha\auto user3
      • If the user name cannot be found in the domain controller's local database, Deep Discovery Web Inspector authenticates the traffic with the IP address (uses the client IP for policy matching).
    For Standard and Standard Enforce mode, Deep Discovery Web Inspector tries to authenticate using Kerberos, NTLM, or Basic (Proxy Mode) Authentication. Only one method is chosen. If it fails, another method is not tried. For example, if Kerberos authentication is performed and fails, Deep Discovery Web Inspector does not go on to try NTLM or Basic. If Kerberos/NTLM/Basic authentication fails, Deep Discovery Web Inspector tries Captive Portal Authentication.
    Note
    Note
    Firefox in non-Windows platforms, like MacOS or Ubuntu, does not support NTLM authentication through Deep Discovery Web Inspector. If NTLM authentication fails, the Captive Portal page automatically opens.
    To work around this issue, you can do the following:
    • Enable NTLM in Firefox on non-Windows systems.
    • Exclude problematic clients with non-Windows operating system from authentication policies.
  8. Enable or disable the IP authentication cache.
    The IP authentication cache provides important functionality when authenticating web traffic. It additionally provides performance benefits for authentication activities.
    Important
    Important
    Enabling IP authentication user cache is strongly recommended (default is enabled):
    1. When ip-user cache is disabled, it will bring significant performance degradation for web concurrent connections and throughput.
    2. If authentication user cache is disabled, some applications or browsers might not access the Internet successfully.
  9. Configure the IP authentication cache time settings.
    1. Choose the method for caching data:
      • Last active TTL (default):
        Elapsed cache time is calculated from time of last web request.
      • Fixed TTL:
        Elapsed cache time is fixed and calculated from time authentication information was entered into the cache.
    2. Enter the number of minutes to cache the data.
      Minimum value is 1. Maximum value is 1440. The default value is 120.
  10. Enable or disable whether to allow guest access.
  11. Click Save.