Configuring User Authentication

Follow these steps to configure the user authentication method.

  1. Click On or Off to enable or disable user authentication.
  2. Select the user authentication method, and then configure the Guest User Logon options. For details, see User Authentications for Internet Gateway Traffic.
  3. In the Advanced Settings area, select from the drop-down list how the on-premises gateway works when user authentication is unavailable, for example, due to loss of connection with the TMWS cloud.

    By default, when an on-premises gateway goes offline, the gateway uses the locally cached configuration to authenticate users and associate traffic from an IP address with a previously authenticated user for 12 hours.

    After 12 hours, the on-premises gateway will:

    • Use the default policy: Match user traffic with the default rule specified under Cloud Access Rules to determine whether to allow or block the traffic.

    • Bypass traffic: Allow all user traffic.

    • Block traffic: Block all user traffic.

  4. Click Enable or Disable to turn on or off the Kerberos authentication option, and then configure the IP address groups to use Kerberos authentication.

    For increased security protection, TMWS uses Kerberos as the advanced authentication method for selected AD users' logon authentications from TMWS to the AD server. For more information, see About Kerberos Authentication.

    Kerberos authentication requires connection to a key distribution center (KDC). If you enable Kerberos authentication, also configure the IE settings on each client computer and the Kerberos support for AD server. For details, see Configuring Kerberos Authentication.

  5. Click Enable or Disable to turn on or off the Bypass authentication option, and then configure the IP address groups to bypass authentication.

    For a user IP address, when both Kerberos authentication and Bypass authentication are enabled and configured, and Authentication method is selected, the user is authenticated by using only one option, and these options come with the following order: Bypass authentication, Kerberos authentication, Authentication method.


    If you want to apply cloud access rules based on IP addresses rather than user accounts of certain users, create IP address groups to include these IP addresses as necessary, and then add the groups here.

  6. Click Save.