Application Note: Setting Up Authentication Based on URL...
16
Application Note www.mcafee.com This document provides information on how to set up user authentication when McAfee Web Gateway (formerly Webwasher®) is configured as proxy, in a way that allows to skip or enforce authentication based on the URL categories that are requested. Setting Up Authentication Based on URL Categories
Transcript of Application Note: Setting Up Authentication Based on URL...
Application Note
www.mcafee.com
This document provides information on how to set up user authentication when McAfee Web Gateway (formerly Webwasher®) is configured as proxy, in a way that allows to skip or enforce authentication based on the URL categories that are requested.
Setting Up Authentication Based onURL Categories
2 Setting Up Authentication Based on URL Categories
COPYRIGHTCopyright © 2009 McAfee, Inc. All Rights Reserved.No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONSAVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE, LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD, PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE, SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
Concept
In this document ...
Concept
Configuration steps
Testing the configuration
Issues
ConceptIn some situations, a user trying to access the internet out of a corporate network should not have to authenticate. This could be the case with external users, such as contractors or visitors, who are not included in the internal authentication directory.
The configuration described in this document follows a concept where authentication is set up based on the category of the URL that a user requests. URLs for anonymous access are included in a customized category that will not require authentication, whereas authentication is enforced for all other categories.
The concept is also shown in the diagram below:
Setting Up Authentication Based on URL Categories 3
Configuration steps
Configuration stepsThere is a number of activities you need to complete, using the user interface of McAfee Web Gateway, to achieve the goal of having URL categories skip or trigger an authentication procedure:
Creating an action
Setting up authentication
Setting up Web mapping
Setting up a default policy
Creating an actionOne thing you need to create is an action that stops a request and triggers authentication.
McAfee Web Gateway allows you to send customized headers providing information that is used in an action. In this case, this involves the numerical value 407, which is the HTTP response code for enforcing authentication. Stopping a request requires that it is blocked initially.
Proceed as follows:
1 In the McAfee Web Gateway user interface, navigate to Configuration > Action Editor.
2 On the Action Editor tab, click Create New.
A new action named NewAction appears in the list of actions.
3 Click Edit in the row of the NewAction list entry.
The Action Definition tab appears.
4 In the Name of Action field, enter a descriptive name, such as Authentication.
5 From the Web Action drop-down list, select Block.
6 Click Apply Above Changes.
7 From the Parameter drop-down list, select HTTP-Error and click Add.
The Action Parameter tab appears.
8 In the HTTP Error input field, enter 407 as code number.
This is the HTTP code number for enforcing authentication. It will be sent back when a request is received and trigger the authentication procedure.
9 Click Apply Above Changes.
You are redirected to the Action Definition tab.
10 From the Parameter drop-down list, select another parameter, Protocol Selection, and click Add.
The Action Parameter tab appears.
11 From the Protocol drop-down list, select Web and click Apply Above Changes.
You are again redirected to the Action Definition tab.
4 Setting Up Authentication Based on URL Categories
Configuration steps
In the Parameter list, you will now see the two parameters you added as entries:
12 Click the Go back to Actions link.
The Actions tab appears again.
This completes the steps required for creating an action that stops a request and triggers authentication.
Note: To make this action available within McAfee Web Gateway, you need to perform a manual restart.
Setting up authenticationAuthentication is usually enforced at the proxy level, which means that every request needs to go through the authentication procedure if the authentication option is enabled. The difference in the approach described here is that the proxy will only require authentication if this is actually specified as part of the policy settings.
In the following, the NTLM authentication method will be used for a client system that is not a domain member. This is a suitable method for illustrating an authentication mode where the user gets prompted for submitting credentials.
In case the client is part of a domain, authentication will be transparent when the NTLM and NTLM agent methods are applied, as well as under the user database method. The user will be prompted for authentication under the Radius and LDAP methods.
Proceed as follows:
1 Go to Proxies > HTTP Proxy > Authentication.
2 From the first of the Authentication Process drop-down lists, select NTLM as authentication method.
Note: NTLM is the method used in this sample configuration. You may select a different method here and also still another method from the second list. If you configure two authentication methods, however, be aware that both must be passed successfully by a user to get authenticated.
3 In the Authentication Options section, make sure the Always authenticate client option is not selected. This way, authentication is not enforced at proxy level.
Setting Up Authentication Based on URL Categories 5
Configuration steps
4 In the NTLM and NTLM Agent Authentication Options section, configure settings according to your requirements, for example, as shown below:
5 Click Apply Changes to make your settings effective.
6 Go to Proxies > HTTPS Proxy > Authentication and repeat Step 2 to 5 to configure the authentication settings described here also for HTTPS traffic.
This completes the steps required for setting up a suitable authentication method.
6 Setting Up Authentication Based on URL Categories
Configuration steps
Setting up Web mappingWeb mapping usually maps users that have been authenticated before to policies. In this sample configuration, no initial authentication is performed, which will usually lead to blocking. However, the intention is to allow all initial requests and apply a policy on them where authentication is skipped for URLs falling under a particular category and enforced for all others.
Note: It is assumed that you have already configured several policies to meet requirements that exist within your particular environment.
In the following, a sample policy will be used to configure authentication based on URL categories. Its name will be Domain_Users.
Note: It is further assumed that a policy with this or a similar name exists already in your configuration, or that you have set it up for this sample configuration, using the Create New Policy section on the Management tab.
Proceed as follows:
1 Go to User Management > Policy Management > Web Mapping.
2 In the Mapping Process section:
a Select Group name from the drop-down list in the first row of the Map from column under Mapping method order for REQMOD.
b Select map directly from the Map via list in the same row.
Setting Up Authentication Based on URL Categories 7
Configuration steps
A mapping rule or scheme is then created named Group-Direct-1, which is displayed under Using these rules:
3 Click Edit rules and options next to the settings you configured.
The Group Based Mapping tab appears.
4 In the Mapping Options section, deselect the Input value must exist checkbox, as there is no relevant mapping data available because the initial request is accepted without authentication.
5 [Optional] Select the Enable shell expression in mapping rules checkbox. This allows you to replace longer group names found in directories by shell expressions, such as *.
6 In the Add Rule section, add a rule for a mapping a user group to a policy, as follows:
a From the drop-down list provided here, select Domain_Users as policy.
b In the input field next to the list, type Domain*.
8 Setting Up Authentication Based on URL Categories
Configuration steps
c Click Add First.
This rule will map all users who are in Active Directory user groups that have names beginning with Domain ... to the Domain_Users policy.
7 Click Apply Changes to make your settings effective.
8 Click the Go back to Web Mapping Methods link.
The Web Mapping tab appears, see Step 2.
Setting Up Authentication Based on URL Categories 9
Configuration steps
9 In the Mapping Options section, select the Allow request and use default policy checkbox.
This will allow an initial request to pass through in case the mapping fails, and the mapping has to fail because no relevant user data is available, as there has been no initial authenti- cation.
Furthermore, the default policy is applied on the request. This policy needs to be configured in a way that skips authentication for a particular URL category and enforces them for all others.
10 Click Apply Changes to make this setting effective.
This completes the steps required for mapping users first to a policy that leads to a failure of the mapping process and then to the application of the default policy.
Setting up a default policyThe default policy is the policy that skips or triggers authentication. All initial requests will fall under this policy because it is configured as “fallback” in case the mapping process fails, which happens if no authentication is performed.
Note: Since you disabled the Always authenticate client option in Step 2 of Setting up authentication, authentication is not enforced at the proxy level. This means that whenever an initial request is sent after opening the browser, no authentication procedure is applied on it.
Proceed as follows:
1 Go to URL Filter > Category Actions.
2 In the navigation area to the left of the Category Actions tab, make sure default is selected in the Policy drop-down list at the top of the area.
3 Configure Authentication as action for all categories on the tab that are not user-defined, by selecting this action from the corresponding drop-down lists.
Note: Authentication is the action you created using the steps described under Creating an action.
10 Setting Up Authentication Based on URL Categories
Configuration steps
4 Configure Allow as action for all user-defined categories, which are displayed at the bottom of the tab, by selecting this action from the corresponding list:
Note: In this sample configuration, User-Defined 1 is the URL category used for allowing requests to URLs without authentication. Any other category may be used for this purpose as well.
5 Click Apply Changes to make your settings effective.
This completes the steps required for setting up a default policy that skips authentication for URLs of a particular category and triggers it for all others.
Setting Up Authentication Based on URL Categories 11
Testing the configuration
Testing the configurationA simple test can be performed by including mcafee.com as URL in a user-defined category. This can be done using the Extended List feature.
Proceed as follows:
1 Go to URL Filter > Extended List Manager.
2 In the Add URL field of the Extended List section, type mcafee.com and click Add.
3 From the Category 1 drop-down list, select User-Defined 1.
4 Make sure the Use categorization for all subhosts checkbox is selected. This ensures that the categorization is also applied to URLs such as www.mcafee.com, and others.
5 Click Apply Changes to make these settings effective.
6 In the Current Status section at the top of the tab, click Reload Into Memory to update the list.
12 Setting Up Authentication Based on URL Categories
Testing the configuration
7 Configure McAfee Web Gateway as proxy for your browser and surf to mcafee.com.
You will get access to the Web page without authentication. The access.log file will show - - (no entry) for this access in the auth_user column:
8 Surf to a URL included in a category that is not user-defined, for example, www.cnn.com.
You will immediately be prompted for authentication:
After entering your credentials or being authenticated transparently, the access.log file will show an entry for the user name:
Setting Up Authentication Based on URL Categories 13
Issues
IssuesWhen configuring authentication in the way described here, you should be aware that there are the following issues:
• Each request will be double-logged into the access.log file: The initial request will be blocked and logged because it is not authenticated, whereas the second request, which is started after the 407 response, will be allowed and logged as well.
• There will be an increased number of requests at the proxy, as each request for a URL in a different category needs to be reprocessed to get authenticated. This might require the deployment of additional proxies.
• Each request that is assigned to category allowing anonymous access after authentication will cause all items that were not logged before to be logged as authenticated.
14 Setting Up Authentication Based on URL Categories
700-2140A00
