Follow these steps to configure the user authentication method.
By default, when an on-premises gateway goes offline, the gateway uses the locally cached configuration to authenticate users and associate traffic from an IP address with a previously authenticated user for 12 hours.
After 12 hours, the on-premises gateway will:
Use the default policy: Match user traffic with the default rule specified under Cloud Access Rules to determine whether to allow or block the traffic.
Bypass traffic: Allow all user traffic.
Block traffic: Block all user traffic.
For increased security protection, TMWS uses Kerberos as the advanced authentication method for selected AD users' logon authentications from TMWS to the AD server. For more information, see About Kerberos Authentication.
Kerberos authentication requires connection to a key distribution center (KDC). If you enable Kerberos authentication, also configure the IE settings on each client computer and the Kerberos support for AD server. For details, see Configuring Kerberos Authentication.
For a user IP address, when both Kerberos authentication and Bypass authentication are enabled and configured, and Authentication method is selected, the user is authenticated by using only one option, and these options come with the following order: Bypass authentication, Kerberos authentication, Authentication method.
If you want to apply cloud access rules based on IP addresses rather than user accounts of certain users, create IP address groups to include these IP addresses as necessary, and then add the groups here.