Notes on LDAP in Transparent Mode

Before configuring LDAP authentication on IWSVA deployed in transparent mode (bridge and WCCP), review the following criteria to ensure each item is fully met.

• A valid hostname must be assigned in the Deployment Wizard when configuring Transparent Bridge or WCCP modes. The same hostname must also be entered in the corporate DNS server.

• Ensure that the user ID cache is enabled. By default, this is enabled. If it has been disabled for any reason, it must re-enabled before enabling transparent mode authentication. You can enable user ID cache using the configure module ldap ipuser_cache enable command in the CLI.

• By default, IWSVA keeps user ID cache information for up to 1.5 hours. If you need to lower the cache time out value, use the configure module ldap ipuser_cache <interval> command in the CLI to set a shorter cache interval.

• If authentication is enabled, IWSVA will block all non-browser applications trying to access the Internet. For example, the MSN application might try to access the Internet before the user has a chance to log in the IWSVA server. If this happens, the application will be blocked as the user has not successfully authenticated to IWSVA. You can perform one of the following:

1. Enable the Domain Controller or Windows client query. After enabling either of these options, no authentication is required because IWSVA obtains the username and domain name through domain controller or client query.

2. Bypass LDAP authentication for the application by adding the URLs that application accesses to "Global Trusted URLs.” The URLs in this list will bypass both authentication and content scanning.

3. Instruct users to open their Web browsers and get authenticated before starting up applications that need Internet access.

4. Add the IP address of the client machine to "LDAP authentication White List." IP address in this list will bypass LDAP authentication.

• When User/group authentication is enabled in either forward proxy mode or transparent mode with Active Directory, you can take advantage of the automatic authentication feature provided in the Internet Explorer Web browser. With automatic authentication, clients already logged on to the domain network can access the local Intranet without having to enter the logon information (such as the user name and password); that is, no password pop-up screen displays.

• Note: You must configure your IE settings to enable automatic authentication on each client computer. By default, automatic authentication is enabled in IE 7.0.