Aut Tranps

  • View
    8

  • Download
    0

Embed Size (px)

Text of Aut Tranps

  • 19022 Views 42 Replies Latest reply: Sep 26, 2011 12:11 PM by lancekentwell

    Nov 21, 2010 2:14 AM

    How to Configure Transparent Authentication with Active Directory

    How to authenticate users whilst connecting transparently to the Web Gateway.

    Thanks to the hard work of my colleagues at McAfee Support, we have put together a working rule that will enable transparent authentication with Active Directory.

    To achieve this it is a two step process:

    1. Configuring Web Gateway.

    2. Configuring Internet Explorer.

    The first step in configuring transparent authentication you will need to download the rule attached (Authentication Server) and import this into your Rule Sets.

    Go to Policy > Rules Sets > Add > Rule Set from Library > Import from file.. >browse to the location of the rule > select and Open the rule.

    When you import the rule there may be conflicts that can be Auto-Solve by selecting Solve by referring to existing objects.

    Next, move the rule into place in my case I placed this just below Common Rules which is incorrect but it served its purpose for my testing environment.

    Once in place you want to go to the Authentication server request rule-set and edit the Authenticate user againts AD rule to point to your domain controller.

    Go to Policy > Rule Sets > expand Authentication Server > select Authentication server request > select the Authenticate user againts AD rule > and click Edit.

    In the Edit Rule box go to Rule Criteria > select the Authentication.Authenticate criteria and click Edit.

    In the Edit Criteria box go to > Settings (For 'Authentication') and using the dropdown select your configured Domain Controller or add one using the Add button below.

    Once done click OK to close from the Edit Criteria box > click Finishto close the Edit Rule box > Save Changes.

    When completing the steps above your newly imported Rule-Set will look as follows:

    salanis

    44 posts since

    Oct 30, 2010

    Pgina 1 de 13McAfee Communities: How to Configure Transparent...

    07/07/2014https://community.mcafee.com/thread/29947?decorator=print&displayFullThread=true

  • Attachments:

    IE-AuthServer.doc (84.5 K) Preview

    Authentication Server.xml (21.7 K)

    If you want to determine how long will the Web Gateway Authentication Server hold users' credentials go to Policy > Settings > expand Authentication > select Auth Server Redirect and edit the Session TTL for the authentication server. By default the Authentication Server will store the credentials for a total of six minutes.

    Now that Web Gateway is properly configured next we'll prepare Internet Explorer to trust and pass users' credentials to the Authentication Server.

    To maintain brevity I have provided all the necessary steps in the attached Word document 'IE-AuthServer.doc'.

    We feel good about this in that it will get all Authenticating Transparently, however we left some basic steps out assuming the following had already been configured:

    1. Joining the Web Gateway to the Windows Domain Membership.

    2. Configuring the Web Gateway for Transparent Filtering.

    Thank you for your time and please contact us if you have any questions or if you see anything missing on any of these steps.

    on 11/21/10 2:14:02 AM CST

    Tags: web, gateway, authentication, internet, active, directory, transparent, domain, explorer, controller

    Like (0)

    1. Dec 16, 2010 2:05 PM (in response to salanis)

    Re: How to Configure Transparent Authentication with Active Directory

    How would you determine the URL for the Authentication Server or does

    Pgina 2 de 13McAfee Communities: How to Configure Transparent...

    07/07/2014https://community.mcafee.com/thread/29947?decorator=print&displayFullThread=true

  • http://$$:$$

    take care of that for you?

    Message was edited by: ittech on 12/16/10 3:05:39 PM EST

    Report Abuse Like (0)

    2. Dec 16, 2010 2:07 PM (in response to ittech)

    Re: How to Configure Transparent Authentication with Active Directory

    If you are referring to the URL you need to enter in the trusted sites you will want to add the IP address of your Web Gateway as follows:

    http://ip.address.https://ip.address

    Please let me know if this answers your question?

    Report Abuse Like (0)

    3. Dec 16, 2010 2:21 PM (in response to salanis)

    Re: How to Configure Transparent Authentication with Active Directory

    Sorry for the confusion, I was reffering to the Authentication Server URL as seen in your second picture.

    Report Abuse Like (0)

    4. Dec 16, 2010 2:37 PM (in response to ittech)

    Re: How to Configure Transparent Authentication with Active Directory

    You can obtain this by downloading the Authentication_Sever rule

    on 12/16/10 2:37:51 PM CST

    Report Abuse Like (0)

    5. Dec 16, 2010 2:39 PM (in response to salanis)

    Re: How to Configure Transparent Authentication with Active Directory

    So I don't have to change that particular setting when I implement the rule?

    Report Abuse Like (0)

    ittech

    463 posts since

    Jan 25, 2010

    salanis

    44 posts since

    Oct 30, 2010

    ittech

    463 posts since

    Jan 25, 2010

    salanis

    44 posts since

    Oct 30, 2010

    ittech

    463 posts since

    Jan 25, 2010

    Pgina 3 de 13McAfee Communities: How to Configure Transparent...

    07/07/2014https://community.mcafee.com/thread/29947?decorator=print&displayFullThread=true

  • 6. Dec 16, 2010 2:51 PM (in response to ittech)

    Re: How to Configure Transparent Authentication with Active Directory

    That is for internal functionality and no need to edit this.

    Report Abuse Like (0)

    7. Jan 5, 2011 10:54 AM (in response to salanis)

    Re: How to Configure Transparent Authentication with Active Directory

    Attachments:

    Authentication Server - Corrected.xml (22.1 K)

    I discovered a possible issue with the "Authentication Server" ruleset which would prevent authentication from occuring for HTTPS sites. Attached is a corrected ruleset. See screenshot for more details. The reason it does not work is because Authentication server ruleset was loosley based on the Cookie auth ruleset, it contained some undeed criteria.

    BEFORE:

    AFTER:

    Saul, could you replace the exising file with the one attached?

    Also, I have asked that development add a default "Authentication Server" ruleset to the library, and asked to vet it.

    ~Jon

    Report Abuse Like (0)

    8. Jan 5, 2011 1:40 PM (in response to Jon Scholten)

    Re: How to Configure Transparent Authentication with Active Directory

    This totally fixed my HTTPS problem. Thanks!

    Report Abuse Like (0)

    salanis

    44 posts since

    Oct 30, 2010

    Jon Scholten

    887 posts since

    Nov 3, 2009

    ittech

    463 posts since

    Jan 25, 2010

    Pgina 4 de 13McAfee Communities: How to Configure Transparent...

    07/07/2014https://community.mcafee.com/thread/29947?decorator=print&displayFullThread=true

  • 9. Jan 5, 2011 2:30 PM (in response to Jon Scholten)

    Re: How to Configure Transparent Authentication with Active Directory

    Thanks Jon.

    Report Abuse Like (0)

    10. Jan 7, 2011 1:09 PM (in response to Jon Scholten)

    Re: How to Configure Transparent Authentication with Active Directory

    Actually I am having a small problem with it now. After the Session TTL for the Authentication Server is up, the HTTPS sites are not getting through. I have to close the browser and reopen it again to reauthenticate.

    I did up the TTL to an hour, just pointing out that there is still a flaw with the work around.

    Message was edited by: ittech on 1/7/11 2:09:24 PM EST

    Report Abuse Like (0)

    11. Jan 20, 2011 5:49 PM (in response to ittech)

    Re: How to Configure Transparent Authentication with Active Directory

    This could be related to setting of the client ssl context with the CA. So if you have SSL scanning disabled, then this wouldnt work. To remedy this you could add a rule that applies always to "set the client context with CA" as the event. (this rule is found in the default SSL scanning rule at the top)

    Let me know if that helps.

    ~Jon

    Report Abuse Like (0)

    12. Jan 21, 2011 8:47 AM (in response to Jon Scholten)

    Re: How to Configure Transparent Authentication with Active Directory

    Testing it now.

    Thanks Jon!

    Report Abuse Like (0)

    13. Jan 24, 2011 10:49 AM (in response to Jon Scholten)

    Re: How to Configure Transparent Authentication with Active Directory

    Seems to be working. Thanks!

    salanis

    44 posts since

    Oct 30, 2010

    ittech

    463 posts since

    Jan 25, 2010

    Jon Scholten

    887 posts since

    Nov 3, 2009

    ittech

    463 posts since

    Jan 25, 2010

    ittech

    Pgina 5 de 13McAfee Communities: How to Configure Transparent...

    07/07/2014https://community.mcafee.com/thread/29947?decorator=print&displayFullThread=true

  • Report Abuse Like (0)

    14. Feb 7, 2011 5:15 PM (in response to salanis)

    Re: How to Configure Transparent Authentication with Active Directory

    Hi, I've an issue with this configuration. On first sight it works like a charm and I can filter by AD group. The problem begins with Terminal Servers. Those servers have one client id for MWG and therefor it treated all users inside the Terminal Server with the privileges of the first user that authenticates to the server. The thing is that I have many users that m