Add virtual gateways for your organization to verify that traffic forwarded by users to TMWS is from your network.


  1. On the Basic Information tab, configure the following:
    Unique name assigned by the administrator.
    (Optional) Meaningful description to easily identify the gateway.
    Gateway type
    Virtual, which is the default value and not editable.
    Status of the gateway.
    • The Status is null, and after the gateway is successfully added, it will change to Pending, with the status of each configured IP address being Pending.
    • When an HTTP/HTTPS request from a configured IP address is transmitted to the gateway, the status of the IP address changes to Verified, and the status of the gateway changes to Partially Verified.
    • When all the configured IP addresses are verified, the status of the gateway changes to Verified.
    • If there is no HTTP/HTTPS request from a configured IP address in Pending status within one week, the IP address is removed from the gateway automatically.
    Make sure that the IP address you configure:
    • Is in a valid IPv4 format.
    • Is not configured on another virtual gateway or in use by another company.
    • Is not a private IP address.
    Time zone
    Time zone based on the location of the gateway.
    Static IP address
    One or several public IP addresses of your organization's Internet gateways to redirect web traffic.
    Private IP addresses are not supported.
  2. On the Authentication tab, configure the following:
    User authentication
    Select the user authentication method from the drop-down list as necessary.
    (Optional) Advanced Settings
    1. Select the Allow guest access on port 8081 without authentication check box to allow guest users to access websites from your network on a separate port without requiring user authentication. For more information, see User Authentications for Internet Gateway Traffic.
    2. Click Enable or Disable to turn on or off the Bypass authentication option.
    3. In the Available IP address groups area, select the IP address groups to allow the corresponding client devices to pass their web traffic through the gateway without being authenticated.
      If you want to apply cloud access rules based on IP addresses rather than user accounts of certain users, create IP address groups to include these IP addresses as necessary, and then add the groups here.
      Make sure to have your XFF device add users' intranet IP addresses as the first IP of the XFF field.
    4. Optionally select the Exclude the following IP address groups check box, and then select those among the selected IP address groups to still require user authentication.
  3. Click Save.