■
improve performance of eDirectory identification on the Appliance.
Reduce Root Server Load
Properly configured connections to local replicas can greatly reduce the load on your root server.
The Web Appliance regularly pulls identification information. Communicating with a local replica
for the given organizational unit will reduce the load of your root eDirectory server.
Network Impact
Connecting to a local replica will also reduce network traffic between your eDirectory servers. If
the Web Appliance is communicating with a server holding a local replica for the given
organizational unit, that eDirectory server will not have to pull information from a different eDirectory
server in your network before passing that information back to the Web Appliance.
Identification Performance
The Web Appliance synchronizes identification data from eDirectory servers. Properly configuring
your Web Appliance to connect to the correct replica for a given organizational unit, the Web
Appliance will allow it to receive more timely information about who is logged in.
4.4.7 Authentication
Note: No matter which form of authentication you apply, Active Directory must first be configured
and turned on. Authentication options are unavailable if Active Directory is turned off. For more
information, see “Configuring Active Directory Access.”
Authentication allows the appliance to perform identification on the basis of an Active Directory
username, providing improved policy control and logging. Without authentication users can only
be identified by IP address. As a result, appliance policy decisions and logging are based solely
on IP addresses.
Use the Configuration > System > Authentication page to configure default authentication
settings and create authentication profiles.
Authentication profiles can be configured to apply different types of authentication for different
connection types (for example, devices and client applications that cannot be authenticated with
Active Directory). To specify connection types, you must also create a connection profile using
the Connection Profile Editor on the Configuration > System > Connection Profiles page.
The connection profiles that you create are then available to be referenced in authentication
profiles.
Authentication profiles can also apply different types of authentication to specific destinations.
For example, you may want to create an exception to the main authentication settings so that
internal sites do not require authentication.
Related concepts
on page 123
on page 139
Related tasks
Configuring Active Directory Access
on page 124
Configuring Active Directory to support Kerberos for Mac OS X
on page 134
on page 139
Sophos Web Appliance | Configuration | 131