Transparent Authentication

Companies that have Active Directories or Okta integrated with TMWS can make use of transparent authentication to confirm that HTTP requests through administrator-configured Internet gateways are initiated by Active Directory users.

TMWS performs transparent authentication through the NTLM protocol.

Transparent Authentication Requirements:

For transparent authentication to work, the following requirements must be satisfied:

Requirement	Details
Administrators must enable AD FS, Direct, Agent, Azure AD, or Okta authentication.	Enable Active Directory authentication in Administration > USERS & AUTHENTICATION > Directory Services. Select AD FS, Direct, Agent, Azure AD, or Okta as the authentication method, and configure all necessary settings. For more information, see Directory Services.
Administrators must enable transparent authentication for each Internet gateway.	Configure Internet gateways in Gateways . On the Authentication tab, select Transparent authentication. (Optional) Configure options for the guest user account to: Allow users without an Active Directory account (such as partners and contractors) to log on using the guest user account. Automatically log on users using the guest user account if transparent authentication is unsuccessful. (Optional) Select the option to allow traffic through port 8081.
Users must initiate HTTP requests from supported desktop browsers.	Supported desktop browsers: Google Chrome 55.x or later Microsoft Internet Explorer 11 Mozilla Firefox 50.0.1 or later Microsoft Edge 83.x or later Mobile browsers and non-browser HTTP requests are not supported.

Requirement

Details

Administrators must enable AD FS, Direct, Agent, Azure AD, or Okta authentication.

Enable Active Directory authentication in Administration > USERS & AUTHENTICATION > Directory Services.
Select AD FS, Direct, Agent, Azure AD, or Okta as the authentication method, and configure all necessary settings. For more information, see Directory Services.

Administrators must enable transparent authentication for each Internet gateway.

Configure Internet gateways in Gateways .
On the Authentication tab, select Transparent authentication.
(Optional) Configure options for the guest user account to:
- Allow users without an Active Directory account (such as partners and contractors) to log on using the guest user account.
- Automatically log on users using the guest user account if transparent authentication is unsuccessful.
(Optional) Select the option to allow traffic through port 8081.

Users must initiate HTTP requests from supported desktop browsers.

Supported desktop browsers:

Google Chrome 55.x or later
Microsoft Internet Explorer 11
Mozilla Firefox 50.0.1 or later
Microsoft Edge 83.x or later

Mobile browsers and non-browser HTTP requests are not supported.

Additional Information:

If the user logs on to the host computer using a valid Active Directory account:
- Authentication of HTTP requests sent by a known user (a user who sends requests from an administrator-configured Internet gateway) follows the AD authentication method settings in Directory Services.
- Authentication of HTTP requests sent by a roaming user (a user who sends requests from an unrecognized gateway) requires the user's Active Directory user name.
If the user logs on to the host computer using another account or from an unrecognized gateway, authentication of HTTP requests requires the user's Active Directory or guest user logon credentials.
If authentication was successful, TMWS handles the HTTP request and also issues a cookie to skip the authentication process in future requests.
TMWS can also perform transparent authentication on HTTPS requests. The authentication process depends on whether HTTPS decryption is enabled or disabled in Policies > Global Settings > HTTPS Inspection.
If authentication was unsuccessful, TMWS handles the HTTP request immediately. If automatic logon using the guest user account is enabled or the guest user account was used, TMWS allows the user to log on as a guest.