Authentication Users can be “filtered” on an appliance, which means you can allow web access only for those who are able to authenticate. Authentication is not implemented by default, but there are preconfigured authentication rule sets, which you can use. The types of authentication that you can implement include: Standard authentication — You can configure authentication for users who send requests for web access under a standard protocol, such as HTTP, HTTPS, or FTP. When the authentication rule set of the default rule set system is enabled, user information is by default retrieved from an internal user database. You can change this setting and configure a different method, such as NTLM, LDAP, Kerberos, and others. Instant messaging authentication — You can configure authentication for users who send requests for web access under XMPP, which is the protocol used for several instant messaging services such as Jabber, Google Talk, Facebook Chat, and others. You can also control administrator access to an appliance by setting up and maintaining administrator accounts and roles. Authenticating users Authenticating the users of your network ensures that they cannot access the web if they do not submit appropriate information about themselves. The authentication process looks up user information, for example, in an internal database or on a web server and blocks or allows access accordingly. Configure authentication You can implement authentication and adapt it to the needs of your network. Configure the Authentication module You can configure the Authentication module to modify the way user information is retrieved to authenticate users. Implement a different authentication method If you do not want to use the User Database authentication method of the default rule set, you can implement a different method, such as NTLM, LDAP, and others. Using system settings to configure authentication For some authentication methods, you need to configure settings that are not settings of the Authentication module, but of the appliance system. NTLM Agent authentication NTLM Agent authentication uses a separate software product, known as the NTLM Agent, for authenticating users on Web Gateway. LDAP digest authentication The LDAP digest authentication method, which is based on the LDAP authentication method, uses a shared secret known by both sides of the authentication process: a user requesting web access, using a browser on a client of Web Gateway, and Web Gateway. Retrieving user group lists from an Azure AD Lists of user groups can be retrieved from an Azure Active Directory (Azure AD) for authentication purposes when a web security policy is enforced for cloud users through McAfee Web Gateway Cloud Service. Best practices - Configuring authentication for deployment types When configuring authentication, you need to consider the type of deployment that is configured for handling the traffic between Web Gateway and its clients, such as the explicit proxy mode or a transparent mode. For each type, there is a rule set in the rule set library that is best suited to handle authentication. Best practices - Configuring LDAP authentication LDAP authentication is one of the methods that can be configured on Web Gateway for authenticating users. Instant messaging authentication Instant messaging authentication ensures that users of your network cannot access the web through an instant messaging service if they are not authenticated. The authentication process looks up user information and asks unauthenticated users to authenticate. One-time passwords One-time passwords (OTPs) can be processed on Web Gateway to authenticate users. This includes the use of passwords for authorized overriding when a web session has terminated due to quota expiration. Client Certificate authentication Submitting a client certificate can be configured as a method of accessing the user interface of the appliance. This method is known as Client Certificate authentication or X.509 authentication. Administrator accounts Administrator accounts can be set up and managed on the appliance or on an external server. Roles can be created with different access privileges for administrators.