Enable browser-based user authentication on the Firewall
Browser-based user authentication is configured in the properties of the Firewall.
For more details about the product and how to configure features, click Help or press F1.
Steps
Engine Editor > Add-Ons > User Authentication
Use this branch to enable user authentication. You can configure authentication using HTTP connections or encrypted HTTPS connections.
Option | Definition |
---|---|
Authentication Time-Out | Defines the length of time after which authentication expires and users must reauthenticate. |
Authentication Idle Time-Out | Defines an idle timeout for user authentication. If there have been no new connections within the specified time limit after the closing of a user's previous connection, the user is removed from the list of authenticated users. |
HTTP | When selected, allows authentication using plain HTTP connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 80. |
HTTPS | When selected, allows authentication using encrypted HTTPS connections. Change the Port number if you want to use a different port for the
authentication interface. The default port is 443. This option is required for client certificate authentication. |
HTTPS Settings | Opens the Browser-Based User Authentication HTTPS Configuration dialog box. |
TLS Profile | The TLS Profile element that defines TLS settings for HTTPS connections for authentication, and the trusted certificate authority for client certificate authentication. Click Select to select an element. This option is required for client certificate authentication. |
Use Client Certificates for Authentication | When selected, the NGFW Engine allows users to authenticate using X.509 certificates. Client certificate authentication is supported for browser-based user authentication. |
Always Use HTTPS | When selected, redirects connections to the HTTPS port and enforces the use of HTTPS if the engine also listens on other ports. |
Listen on Interfaces | Restricts the interfaces that users can authenticate through.
|
User Authentication Page | Select the User Authentication Page element that defines the look of the logon page, challenge page, and status page shown to end users when they authenticate. |
Enable Session Handling
(Optional) |
When selected, enables cookie-based strict session handling. Note: When Enable Session Handling is selected, the
Authentication Idle Time-Out option is not available. The Refresh Status Page Every option defines the authentication
timeout.
|
Refresh Status Page Every
(Optional) |
Defines how often the status page is automatically refreshed. When Enable Session Handling is selected, defines the authentication timeout. |
Engine Editor > Advanced Settings > Authentication
Use this branch to configure advanced settings for user authentication.
Option | Definition |
---|---|
Default User Domain | The default LDAP domain from which the NGFW Engine looks up users. Note: This setting applies to all user authentication,
including browser-based user authentication, VPN clients, and the SSL VPN Portal.
|
Allow user lookup from known User Domain matching to client certificate email domain or UPN suffix | When selected, the NGFW Engine looks up the user from the domain specified in the email address or user principal name before
looking up the user in the default domain. Note: This option is ignored when the value of the Client Certificate Identity Field for TLS option is
Distinguished Name.
|
Client Certificate Identity Field for TLS | The attribute that is used to look up the user entry from the user domain when using TLS. The NGFW Engine only uses values
from the Active Directory or LDAP server that is associated with the global default LDAP domain or the engine-specific default user domain.
|