Configure User Authentication Settings
- Click ‘Administration’ > ‘Authentication Configuration’ > ‘Authentication Settings’ to open this interface.
- You have to choose a user authentication method if you want to apply policies to specific users. You do not need to do this if you only plan to apply policy to networks/devices.
- There are two methods available – ‘Hosted DB’ and ‘Active Directory’. You can select only one authentication method per account.
- After connecting your networks and adding them to ‘Locations’, the default security and URL filtering polices are applied to endpoints (unless custom policies exist).
- You must first have added users before you can apply custom polices to them. You can add users in ‘Administration’ > ‘Authentication Configuration’ > ‘User Management’. See next step ‘Add Users‘.
- Comodo SWG supports ‘Active Directory’ and ‘Hosted Database’ authentication. You can only use one of these types.
- You can combine auth types with traffic forwarding types
- Comodo recommends the following types of combinations:
|S.No||Auth Type||Traffic Forwarding Types|
|1||Hosted DB||SWG Agent, ICAP and Proxy Chain.|
|2||Active Directory||SWG Agent.|
|Note: You can only create network location rules for ‘Direct Proxy’ and ‘PAC’ traffic forwarding. You cannot .create user based rules for these forwarding types.|
Authentication methods for user-based rules explained:
- Traffic forwarding via SWG Agent – The SWG agent authenticates users via Windows authentication on the device. There is no need to select any authentication and traffic forwarding option on the Locations interface. Hosted DB and Active Directory authentication methods are supported.
- Traffic forwarding via Direct Proxy or PAC – User-based rules are not supported for these forwarding types, so no authentication is required. No need to select any authentication and traffic forwarding option on the Locations interface.
- Traffic forwarding via Proxy Chaining / ICAP methods – If you plan to use a 3rd party proxy such as Websense or Bluecoat, then you can integrate with SWG and use Proxy Chaining/ ICAP to forward traffic. Once done, you can create user-based rules if the 3rd party product authenticates and sends user names to SWG. You have to select the appropriate authentication and traffic forwarding option on the Locations interface. Only Hosted DB authentication is supported.
A user database hosted on Comodo SWG is used for authentication and identification. You will need to provide additional details including group and department in the ‘Add User’ dialog. See step ‘Add Users‘.
Users are authenticated using Active Directory. To use this method, you need to download the SWG AD agent and install it in your AD server. After installation and configuration, AD users and groups will be automatically enrolled to Comodo SWG and be visible under ‘User Management’.
- Select ‘Active Directory Sync via Agent’ under ‘Authentication Method’
- Click ‘Download’
- The agent setup file will be downloaded to your default location
- Next, click ‘Save’
A unique AD sync agent authentication token will be generated.
- Copy this token and save it
- Next, transfer the setup file to any client machine which is included in the AD server, or to the AD server itself.
Install SWG AD agent
- Run the setup file and complete the AD connection details form:
- User Token – Copy and paste the AD sync authentication token that you saved earlier
- Host Name / IP – Enter the host name or IP of the AD server
- Base DN – Enter the user base DN details, for example, DC=testing,DC=net
- Click ‘Check LDAP Connection
You will see the following dialog after a successful connection:
- Click ‘Save & Close’
AD users and groups will be automatically added to Comodo SWG after the first synchronization.
- Click ‘User Management’ and ‘Users’ / ‘Groups’ to view the enrolled users and group via AD.
The AD agent will initiate subsequent synchronizations every 3 hours automatically.
- Last Synchronization – Date and time that Comodo SWG most recently synchronized with the LDAP server
- Total Number of Objects – The number of users and groups enrolled to Comodo SWG via AD
- Click ‘Reset’
- Click ‘OK’
- All the users / groups enrolled via AD will be removed from the ‘User Management’ list.
- SWG agent will initiate re-synchronization process and will complete in few minutes.
- Specific users / groups policies should be reapplied.
- Specify the domain, wildcard domain, IP address or network for which you want to skip authentication
- Enter the details and click the ‘+’ button on the right to add the exception
- Click the trash can icon beside an entry to remove it
- Click ‘Save’ for your changes to take effect
- Specify the category of applications that you want to exempt from authentication.
- Choose the application from the list and click the ‘+’ button on the right to exempt a category.
- If the user is within the network then they will be automatically authenticated by the domain controller.
- If the user is outside the network then the browser will ask the user to authenticate themselves with their AD credentials. Comodo SWG will direct the credentials to the domain controller for authentication.
- Click the trash can icon beside an entry to remove it.
- Click ‘Save’ for your changes to take effect.