Embed Size (px)
Citation preview
Svn.spamsvn110
QuickStart Guide to Authentication
WebTitan Version 5
2
Copyright © 2014 Copperfasten Technologies. All rights reserved. The product described in this document is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Copperfasten Technologies gives no condition, warranty, expressed or implied about the fitness or quality of this manual or the accompanying product. Copperfasten reserves the right to make changes to this manual or the accompanying product, without notice to any person or company. Copperfasten shall not be liable for any indirect, incidental, special, or consequential damages, loss of profits, loss of goodwill, loss of reputation or economic loss resulting from the use of this manual or the accompanying product whether caused through Copperfasten negligence or otherwise and based on contract, tort, strict liability or otherwise, even if Copperfasten or any of its suppliers has been advised of the possibility of damages.
WebTitan is a trademark of Copperfasten Technologies Limited.
Support
WebTitan technical support specialists can provide assistance when planning and implementing your WebTitan deployment, and deciding on the correct authentication
options to ensure a smooth deployment. Through online documentation, telephone help, and direct email support, WebTitan ensures that your questions will be answered
in the fastest time possible. Access support information at http://helpdesk.webtitan.com/support/home
Revision History
Version Date Changes
1.0 December 2014 Initial Revision
3
Contents
Introduction ................................................................................................................ 4
IP based authentication............................................................................................... 5
LDAP based authentication........................................................................................ 6
NTLM based authentication ....................................................................................... 8
WebTitan Active Directory Agent (WADA) ........................................................... 10
WADA Installation ............................................................................................... 11
Next Steps ............................................................................................................. 12
4
Introduction
WebTitan provides the option to define how users authenticate themselves to
WebTitan before accessing external web sites.
By default, authentication is disabled, which means that any user is accepted by the
WebTitan appliance without authentication. Should authentication be required, it can be enabled via System Settings-> Authentication tab which can be seen below. The method of authentication can be selected from the 'Policy type' drop down list.
WebTitan provides various methods of user authentication which are as follows.
IP based authentication
LDAP based authentication
NTLM based authentication
IP and LDAP based authentication
IP and NTLM based authentication
NTLM authentication in Transparent Mode via WADA (WebTitan Active
Directory Agent)
Figure 1: Authentication settings
IP based authentication and NTLM based authentication are transparent to the user,
whereas LDAP based authentication will require the user to enter their LDAP username/password credentials on commencing web site browsing. They will only be asked once for this information.
5
IP based authentication
IP based authentication is only suitable where the users have static IP addresses. Also,
it is recommended that either LDAP or NTLM authentication is used where LDAP servers are been used to maintain the users and groups within WebTitan. To facilitate
IP based authentication within WebTitan, the following must be done:
IP based authentication must be enabled via the System Settings > Authentication tab.
Users must be assigned IP addresses via the Users & Groups > Users tab. An IP address can be assigned at the time of user creation or by editing an existing user.
Figure 2 below shows that users can be assigned both a single IP address and an IP address range.
Figure 2: Add users dialog
IP authentication points
IP based authentication will be transparent to the end user.
IP based authentication should only be used for static IP addresses.
6
LDAP based authentication
LDAP authentication is suitable for where the users and groups are being managed by
an LDAP server and where it is preferred that the user must enter their LDAP username/password credentials on commecing web site browsing.
To facilitate LDAP based authentication within WebTitan, the following must be done:
LDAP based authentication must be enabled via the System Settings >
Authentication tab.
There must be at least one LDAP server specified in the Users & Groups > Users
tab†.
The users associated with the authenticating LDAP server must be imported into WebTitan.
Figure 3 is a screen shot of LDAP based authentication turned on within WebTitan, which is then followed by figure 4 showing a screen shot of a user being prompted for
their LDAP credentials. They are only required to enter these credentials once.
Figure 3: LDAP authentication settings
† Please click here to see the 'QuickStart Guide to LDAP Setup' for details on how to connect to an LDAP server within WebTitan and also how to import LDAP users.
7
Figure 4: LDAP Authentication popup from Internet Explorer
If the web user enters an incorrect username or password, then they will receive the following web page:
Figure 5: Failed authentication page
LDAP authentication points
LDAP based authentication requires the end user to enter their LDAP
credentials
8
NTLM based authentication
If your network uses NTLM authentication, then the NTLM users can be
transparently authenticated against the WebTitan web filter using their Microsoft Windows credentials.
To facilitate NTLM based authentication within WebTitan, the following must be done.
NTLM based authentication must be enabled via the System Settings >
Authentication tab.
Users must browse using Internet Explorer or Mozilla Firefox.
Figure 6 below shows sample settings for an NTLM server. Verification of the settings occurs automatically once the 'Save' button is clicked.
Figure 6: NTLM authentication settings
If your NTLM server does not authenticate successfully, the following error codes
returned by WebTitan could be of use.
Error Code Explanation
-1 NTLM authentication isn't enabled.
-2 The username or password was not correct.
-3 Can't connect to domain controllers.
-4 /usr/local/bin/net join command failed with another reason.
-5 winbindd is not working(wbinfo -p).
-6 winbindd is not working correctly (wbinfo -t).
9
NTLM authentication points
NTLM based authentication will be transparent to the end user.
NTLM based authentication only works with Internet Explorer and
Mozilla Firefox.
Users who do not match any NTLM user account will automatically be controlled by the 'Default' policy and will appear in reports as the
'GDefault' user.
10
WebTitan Active Directory Agent (WADA)
The WebTitan Active Directory Agent (WADA) is a Windows service maintaining a list of active logon sessions, mapping an IP address to a username. This information is
then passed to WebTitan to allow user filtering rules to be applied based on the logged in users’ policy settings.
The information is gathered from 3 different sources that exist on Windows network:
LDAP
Event Logger
network sessions
The LDAP mechanism collects a list of computers in the domain and based on the lastLogon parameter will contact each computer using the WMI protocol to check for
active logon sessions and eventually get the username. Not all computers are checked, only those with lastLogon field within the range defined in the configuration (1 year
by default).
The Event Logger mechanism listens to the event logger for special events that contains information about username and IP.
Additionally, network sessions are enumerated (by default each 10 seconds) to discover active sessions. This method is important especially when there are users on
the network that don't turn-off their computers for a very long time and for some reason their computers are not reachable with WMI.
The results from all those methods are then merged into one list and transmitted to
WebTitan.
11
WADA Installation
Install on the Active Directory Server or on another server in the domain. The
installation is a straight forward process using the MSI WADA kit as below.
Figure 7: WADA installation
Figure 8: WADA installation – accept the license
Figure 9: WADA installation - WebTitan server settings
12
Enter the IP address of your WebTitan. NOTE: Specify the proxy port that WebTitan is listening on for HTTP requests. Default: 8881.
Figure 10: WADA installation - AD credentials
Finally enter your domain administration credentials for your Active Directory , e.g. copperf\admin / password.
Next Steps To implement transparent identification of users in transparent mode (Figure 11), you must configure the WebTitan appliance to operate in transparent mode, and have imported your users from Active Directory on the Users & Groups -> Users page
(Figure 12).
13
Figure 11: Import users from Active Directory
Figure 12: Transparent mode proxy
On the System Setup -> Authentication page, it is sufficient to choose IP based authentication.
