15.3.2.2. Procedure – Configuring PNS Authentication policies

1. 

   Figure 15.20. Creating Authentication policies

   Create an Authentication policy on the Policies tab of the Application-level Gateway MC component. Click on New, select Authentication policy from the Policy type combobox, and enter a name for the policy into the Policy textbox.

2. 

   Figure 15.21. Selecting the Authentication provider

   Select the Authentication provider combobox by clicking ... and selecting a provider.

3. 

   Figure 15.22. Selecting the type of the authentication

   Select the type of authentication to be used from the Class combobox. The following authentication types are available:

   • Inband authentication: Use the built-in authentication of the protocol to authenticate the client on PNS.

   • AAuthentication: (Also called Satyr authentication in previous versions). Outband authentication using the Authentication Agent. This method can authenticate any protocol. For agent authentication the following additional parameters have to be set:

     • Certificate: Select the certificate that PNS will show to the authentication agent running on the client. The certificate is required because the communication between the authentication agent and PNS is SSL-encrypted. The certificate has to be issued by a CA trusted by the authentication agent. The process of installing CA certificates for the authentication agent is described in Chapter 6, Installing the Authentication Agent (AA) in Proxedo Network Security Suite 1.0 Installation Guide.

     • Port: The port where PNS accepts connections from the authentication agents running on the clients.

     • Timeout: The period of time the client has to complete the authentication after an authentication request is sent by PNS.

   • Server authentication: Enable the client to connect to the target server, and extract its authentication information from the protocol.

4. 

   Figure 15.23. Configuring the authentication cache

   Configure the authentication cache using the Class combobox of the Authentication cache section. The following options are available:

   • None: Disable authentication caching. The client has to re-authenticate each time when starting a new service.

   • AuthCache: Store the results of the authentication for the period specified in the Timeout field, that is, after a successful authentication the client can use the service (and start new ones of the same type) for that period. for example, once authenticated for an HTTP service, the client can browse the web for Timeout period, but has to authenticate again to use FTP.

     If the Update timeout for each session checkbox is selected, timeout measuring is restarted each time the client starts service. Selecting the Consider all services equivalent checkbox means that PNS does not make difference between the different services (protocols) used by the client, after a successful authentication he can use all available services without having to re-authenticate himself. for example, if this option is enabled in the example above, the client does not have to re-authenticate for starting an FTP connection.