Configure User Authentication Settings
- Click 'Administration' > 'Authentication Configuration' > 'Authentication Settings' to open this interface.
- You have to choose a user authentication method in order to deploy user-specific policies.
- There are two methods available - 'Hosted DB' and 'Active Directory'. You can select only one authentication method per account.
- After connecting your networks to Comodo Secure Web Gateway and adding them to 'Locations', the default security and URL filtering polices will be applied to all endpoints in your networks.
- You must first have added users before you can apply custom polices to them. You can add users in 'Administration' > 'Authentication Configuration' > 'User Management'. See 'User Management' if you need help with this.
Authentication Method
- SWG supports 'Active Directory' and 'Hosted Database' authentication. You can only use one of these types.
- You can combine auth types with traffic forwarding types as explained in Connect your Network to Comodo Secure Web Gateway.
- Comodo recommends the following types of combinations:
S.No |
Auth Type |
Traffic Fowrading Types |
---|---|---|
1 |
Hosted DB |
SWG Agent, ICAP and Proxy Chain |
3 |
Active Directory |
SWG Agent |
Note: You can only create network location rules for 'Direct Proxy' and 'PAC' traffic forwarding. You cannot create user based rules for these forwarding types. |
Authentication methods for user-based rules explained:
- Traffic forwarding via SWG Agent – The SWG agent authenticates users via Windows authentication on the device. There is no need to select any authentication and traffic forwarding option on the Locations interface. Hosted DB and Active Directory authentication methods are supported.
- Traffic forwarding via Direct Proxy or PAC – User-based rules are not supported for these forwarding types, so no authentication is required. No need to select any authentication and traffic forwarding option on the Locations interface.
- Traffic forwarding via Proxy Chaining /
ICAP methods - If
you plan to use a 3rd party
proxy such as Websense or Bluecoat, then you can integrate with SWG and use Proxy
Chaining / ICAP to forward traffic. Once done, you can create user-based rules if
the 3rd party product authenticates and sends user names to SWG.
You have to select the appropriate authentication and traffic
forwarding option on the Locations interface. Only Hosted DB
authentication is supported.
Hosted DB
A user database hosted on SWG will be used for authentication and identification. You will need to provide additional details including group and department in the 'Add User' dialog. End users will have to provide the credentials when the browser asks for basic authentication.
Users are authenticated using Active Directory. To use this method, you need to download the SWG AD agent and install it in your AD server. After installation and configuration, AD users and groups will be automatically enrolled to SWG and be visible under 'User Management'.
- Select 'Active Directory Sync via Agent' under 'Authentication Method'
- Click 'Download'
- The agent setup file will be downloaded to your default location
- Next, click 'Save'
A unique AD sync agent authentication token will be generated.
- Copy this token and save it
- Next, transfer the setup file to any client machine which is included in the AD server, or to the AD server itself.
Install Comodo SWG AD agent
- Run the setup file and complete the AD connection details form:
The agent will be installed and the authentication screen will be displayed:
- User Token – Copy and paste the AD sync authentication token that you saved earlier
- Host Name / IP – Enter the host name or IP of the AD server
- Base DN – Enter the user base DN details, for example, DC=testing,DC=net
- Click 'Check LDAP Connection
You will see the following dialog after a successful connection:
- Click 'Save & Close'
AD users and groups will be automatically added to Comodo SWG after the first synchronization.
- Click 'User Management' and 'Users' / 'Groups' to view the enrolled users and group via AD.
The AD agent will initiate subsequent synchronizations every 3 hours automatically.
- Last Synchronization – Indicates the date and time of last synchronization with the LDAP server
- Total Number of Objects – The number of
users and groups enrolled to SWG via AD
Reset Synchronization
- Click 'Reset'
- Click 'OK'
- All the users / groups enrolled via AD will be removed from the 'User Management' list.
- SWG agent will initiate re-synchronization process and will complete in few minutes.
- Specific users / groups policies should be reapplied.
Authentication
Bypass
- Specify the domain, wildcard domain, IP address or network for which you want to skip authentication
- Enter the details and click the '+' button on the right to add the exception
- Click the trash can icon beside an entry to remove it
- Click 'Save' for your changes to take effect
Bypassed Categories
- Specify the category of applications that you want to exempt from authentication.
- Choose the application from the list and click the '+' button on the right to exempt a category.
- If the user is within the network then they will be automatically authenticated by the domain controller.
- If the user is outside the network then the browser will ask the user to authenticate themselves with their AD credentials. SWG will direct the credentials to the domain controller for authentication.
- Click the trash can icon beside an entry to remove it.
- Click 'Save' for your changes to take effect.