10.1 Firewall User Authentication
139
Redirection to the authentication page
If the
Always require users to be authenticated when accessing web pages
option is en-
abled, user authentication will be required for access to any website (unless the user is
already authenticated). The method of the authentication request depends on the method
used by the particular browser to connect to the Internet:
•
Direct access
— the browser will be automatically redirected to the authentication
page of the
WinRoute’s
web interface (see chapter
) and, if the authentication
is successful, to the solicited web page.
•
WinRoute proxy server
— the browser displays the authentication dialog and then,
if the authentication is successful, it opens the solicited web page.
If the
Always require users to be authenticated when accessing web pages
option is dis-
abled, user authentication will be required only for Web pages which are not available
(are denied by URL rules) to unauthenticated users (refer to chapter
Note:
User authentication is used both for accessing a Web page (or/and other services)
and for monitoring of activities of individual users (the Internet is not anonymous).
Force non-transparent proxy server authentication
Under usual circumstances, a user connected to the firewall from a particular computer
is considered as authenticated by the IP address of the host until the moment when they
log out manually or are logged out automatically for inactivity. However, if the client
station allows multiple users connected to the computer at a moment (e.g.
Microsoft Ter-
minal Services
,
Citrix Presentation Server
or
Fast user switching
on
Windows XP
,
Windows
Server 2003
,
Windows Vista
and
Windows Server 2008
), the firewall requires authentica-
tion only from the user who starts to work on the host as the first. The other users will
be authenticated as this user.
In case of
HTTP
and
HTTPS
, this technical obstruction can be passed by. In web browsers
of all clients of the multi-user system, set connection to the Internet via the
WinRoute’s
proxy server (for details, see chapter
), and enable the
Enable non-transparent proxy
server
option in
WinRoute
. The proxy server will require authentication for each new
session of the particular browser.
Forcing user authentication on the proxy server for initiation of each session may bother
users working on “single-user” hosts. Therefore, it is desirable to force such authentica-
tion only for hosts used by multiple users. For this purpose, you can use the
Apply only
for these IP addresses
option.
Automatic authentication (NTLM)
If the
Enable user authentication automatically...
option is checked and
Internet Explorer
(version 5.01 or later) or
Firefox/SeaMonkey
(core version 1.3 or later) is used, it is possible
to authenticate the user automatically using the NTLM method.
This means that the browser does not require username and password and simply uses
the identity of the first user connected to
Windows
. However, the NTLM method is not
Session
is every single period during which a browser is running. For example, in case of
Internet Explorer
,
Firefox
and
Opera
, a session is terminated whenever all windows and tabs of the browser are closed, while in case of
SeaMonkey
,
a session is not closed unless the
Quick Launch
program is stopped (an icon is displayed in the toolbar’s notification
area when the program is running).
Содержание KERIO WINROUTE FIREWALL 6
Страница 1: ...Kerio WinRoute Firewall 6 Administrator s Guide Kerio Technologies s r o...
Страница 157: ...12 3 Content Rating System Kerio Web Filter 157 Figure 12 7 Kerio Web Filter rule...
Страница 189: ...14 4 URL Groups 189 Description The item s description comments and notes for the administrator...
Страница 247: ...19 4 Alerts 247 Figure 19 14 Details of a selected event...
Страница 330: ...Chapter 23 Kerio VPN 330 Figure 23 55 The Paris filial office VPN server configuration...
Страница 368: ...368...