8.1 Firewall User Authentication
Redirection to the authentication page
If the Always require users to be authenticated when accessing web pages option is enabled, user authentication will be required for access to any website (unless the user is already authenticated). The method of the authentication request depends on the method used by the particular browser to connect to the Internet:
•Direct access — the browser will be automatically redirected to the authentica- tion page of the WinRoute’s web interface (see chapter 9.2) and, if the authenti- cation is successful, to the solicited web page.
•WinRoute proxy server — the browser displays the authentication dialog and
then, if the authentication is successful, it opens the solicited web page.
If the Always require users to be authenticated when accessing web pages option is disabled, user authentication will be required only for Web pages which are not available (are denied by URL rules) to unauthenticated users (refer to chapter 10.2). Note: User authentication is used both for accessing a Web page (or/and other services) and for monitoring of activities of individual users (the Internet is not anonymous).
Enable non-transparent proxy server authentication
Under usual circumstances, a user connected to the firewall from a particular com- puter is considered as authenticated by the IP address of the host until the moment when they log out manually or are logged out automatically for inactivity. However, if the client station allows multiple users connected to the computer at a moment (i.e. Microsoft Terminal Services, Citrix Presentation Server orFast user switching on Windows XP), the firewall requires authentication only from the user who starts to work on the host as the first. The other users will be authenticated as this user.
In case of HTTP and HTTPS, this technical obstruction can be passed by. In web browsers of all clients of the
Automatic authentication (NTLM)
If the Enable user authentication automatically.. option is checked and Microsoft In-
ternet Explorer (version 5.01 or later) or Firefox/Netscape/Mozilla/SeaMonkey (core version 1.3 or later) is used, it is possible to authenticate the user automatically using the NTLM method.
This means that the browser does not require username and password and sim- ply uses the identity of the first user connected to Windows. However, the NTLM
3Session is every single period during which a browser is running. For example, in case of Internet Explorer, Firefox and Opera, a session is terminated whenever all windows and tabs of the browser are closed, while in case of Netscape/Mozilla/SeaMonkey, a session is not closed unless the Quick Launch program is stopped (an icon is displayed in the toolbar’s notification area when the program is running).
