You can configure domains to:
  • Integrate TMWS with your organization's on-premises or cloud-based Active Directory infrastructure, or cloud-based Okta, or Google to authenticate users who forward web traffic to TMWS.
  • Add hosted user accounts that are not your organization's Active Directory users to authenticate them and allow them to forward web traffic to TMWS.
TMWS supports authenticating users from one or multiple domains.
When you use the AD FS, Agent, or Direct authentication method, TMWS also supports using the Microsoft Active Directory (AD) Global Catalog (GC) or trusted domains to
  • Apply the AD integration settings configured for the GC's root domain controller to all AD domains in the forest.
  • Enable users from all AD domains in the forest with transparent authentication.
  • Allow users from a domain engaged in a trust relationship with another domain to be authenticated transparently.
  • Before you add the GC root domain controller or trusted domain in TMWS, make sure you have already configured the Global Catalog or trust relationships between specified domains within your corporate network.
  • Under the Direct or Agent authentication mode, if you expect all domains in the forest or users from any domain engaged in a trust relationship with another domain to be authenticated transparently, you will need to synchronize all users to the default authentication domain.
TMWS supports the following operating systems for the AD server:
  • Windows Server 2012 and 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022


  1. Go to AdministrationUSERS & AUTHENTICATIONDirectory Services .
  2. Manage domains.
    Add a domain
    Applicable to the AD FS, Agent, and Direct authentication methods.
    For more information about how to add domains under the Azure AD, Okta, and Google authentication methods, see Azure Active Directory Authentication, Okta Authentication, and Google Authentication.
    1. Click Add.
    2. In the new window that appears, type a domain name in Domain name.
      You can create a maximum of 100 domains as necessary.
      If you type a domain name already in use by another organization, a window appears, providing further instructions for the conflict:
      • You can use a different domain name.
      • If you still want to use this domain name, click Request Proxy Port below to acquire a unique proxy port for your organization.
        A new proxy address is also assigned to go with the newly assigned port.
      • Go to the following configurations to update the proxy port and address:
        • Previously deployed proxy information for roaming users.
        • Online PAC files. For newly added PAC files, the new proxy address and port will be used by default. For existing PAC files, the proxy address and port is still and can be manually updated to the new proxy address and port.
        • Previously deployed enforcement agents.
        • Firewall settings as necessary.
    3. From the Reuse AD integration settings from drop-down list, select None or one domain based on whether you want to reuse the AD integration settings of an existing domain.
      The drop-down list includes the configured domains with AD Integration enabled. This is a convenient way of creating and configuring a new domain.
    4. Click Save.
      The domain displays on the Directory Services page. You can edit the AD integration settings as needed.
    Delete a domain
    Select one or several domains and click Delete.
    Do this if you no longer want web traffic from users belonging to the domain to be forwarded to TMWS.
    It is not possible to delete the domain of the currently logged on user.
    View data in table columns
    • Domain name: Domain name
    • AD Integration: Whether a domain can integrate with your organization's Active Directory server to synchronize and authenticate the Active Directory users. By default, this function is disabled when a domain is added. To enable and set AD integration, click verifyownership.bmp next to the corresponding Disabled. For details, see Direct Authentication, Active Directory Federation Services Authentication, and Agent Authentication.
      If you select the Azure AD, Okta, or Google authentication method, AD integration is always enabled.
    • Hosted User Authentication: Whether a domain is valid and supports authentication of hosted users. Options include:
      • Supported: You can create hosted user accounts belonging to this domain to authenticate these users.
      • Not supported: Click verifyownership.bmp to verify domain ownership and enable hosted user authentication. If the verification is successful, the status changes to Supported, meaning that the domain is valid and you can create hosted user accounts belonging to this domain to authenticate these users.
      • Pending: Domain verification is not completed yet. Check your mailbox, and if you have not received an email message from TMWS, click the Resend icon (pending.bmp).
    • Creation Time: Date and time when a domain was created.
    Verify a domain
    1. Click verifyownership.bmp under Hosted User Authentication.
    2. On the screen that appears, type in Email Address an email address you use to verify your domain ownership, and then click Verify Domain Ownership. TMWS sends an email to the email address.
    3. Check your mailbox, open the email message sent by TMWS, and then click the link in the email message to verify the domain.
    4. TMWS shows a web page confirming the verification. If the verification is successful, the status under Hosted User Authentication changes to Supported. If the status does not change, refresh the screen.
    5. If there is no email message in the mailbox, go to the Directory Services screen, locate the domain name, and then click the Resend icon (pending.bmp). TMWS resends email messages at 5-minute intervals, so be sure that at least 5 minutes has elapsed before attempting to resend.
    Sort the domain information
    Sort the information in ascending or descending order in either of the following ways:
    • Click the title area of a column.
    • Click the up or down arrow at the right of the title area of a column.
    Search for a domain
    Type a domain name or part of the name.
    If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed immediately. TMWS searches all cells in the table for matches.
    Select an authentication method
    TMWS can authenticate your organization's users using the Direct, AD FS, Agent, Azure AD, Okta, or Google authentication method.
    1. Click here on the upper area of the Directory Services screen.
    2. On the Authentication Method window that appears, select the authentication method to use as necessary.
    3. (Applicable to the AD FS, Agent, and Direct authentication methods) Select a default domain from the drop-down list of AD integration enabled domains for transparent authentication using this authentication method.
      After AD users add their client computers to corresponding domains, they can be authenticated without user intervention on TMWS gateways enabled with transparent authentication. Those from other domains using the same authentication method need to provide their user names on a web page before accessing the Internet.
      If this option is set to None, AD users from all domains need to provide their user names during transparent authentication.
      If there is one and only one AD integration enabled domain under the authentication method, this domain is automatically set to the default authentication domain regardless of this option.
      If there are several domains under the authentication method, but only one domain is AD integration enabled, transparent authentication applies to this domain only after this domain is set to the default authentication domain.
    4. If the selected domain is deleted, this option is reset to None.
    5. Click Save.
    You can configure all the domains under each authentication method first, and then select a domain as the default authentication domain.