10.1 Firewall User Authentication
139
Redirection to the authentication page
If the Always require users to be authenticated when accessing web pages option is en-
abled, user authentication will be required for access to any website (unless the user is
alreadyauthenticated). Themethod of the authentication request depends on the method
used by the particular browser to connect to the Internet:
•Direct access — the browser will be automatically redirected to the authentication
page of the WinRoute’s web interface (see chapter 11.2) and, if the authentication
is successful, to the solicited web page.
•WinRouteproxy server — the browser displays the authentication dialog and then,
if the authentication is successful, it opens the solicited web page.
If the Always require users to be authenticated when accessing web pages option is dis-
abled, user authentication will be required only for Web pages which are not available
(are denied by URL rules) to unauthenticated users (refer to chapter 12.2).
Note: User authentication is used both for accessing a Web page (or/and other services)
and for monitoring of activities of individual users (the Internet is not anonymous).
Force non-transparent proxy server authentication
Under usual circumstances, a user connected to the firewall from a particular computer
is considered as authenticated by the IP address of the host until the moment when they
log out manually or are logged out automatically for inactivity. However, if the client
station allows multiple users connected to the computer at a moment (e.g. Microsoft Ter-
minal Services,Citrix Presentation Server orFast user switching on Windows XP,Windows
Server 2003,Windows Vista and Windows Server 2008), the firewall requires authentica-
tion only from the user who starts to work on the host as the first. The other users will
be authenticated as this user.
In case of HTTP and HTTPS, this technical obstruction can be passed by. In web browsers
of all clients of the multi-user system, set connection to the Internet via the WinRoute’s
proxy server (for details, see chapter 8.4), and enable the Enable non-transparent proxy
server option in WinRoute. The proxy server will require authentication for each new
session of the particular browser.5.
Forcing user authentication on the proxy server for initiation of each session may bother
users working on “single-user” hosts. Therefore, it is desirable to force such authentica-
tion only for hosts used by multiple users. For this purpose, you can use the Apply only
for these IP addresses option.
Automatic authentication (NTLM)
If the Enable user authentication automatically... option is checked and Internet Explorer
(version5.01 or later) or Firefox/SeaMonkey (core version 1.3 or later) is used, itis possible
to authenticate the user automatically using the NTLM method.
This means that the browser does not require username and password and simply uses
the identity of the first user connected to Windows. However, the NTLM method is not
Sessionis every single period during which a browser is running. Forexample, in case of Internet Explorer,Firefox and
5
Opera,a session is terminated whenever all windows and tabs of the browser are closed, while in case of SeaMonkey,
asession is not closed unlessthe Quick Launch program is stopped (an icon is displayed in the toolbar’s notification
areawhen the program is running).