15.3.2.2. Procedure – Configuring PNS Authentication policies

1. Create an Authentication policy on the Policies tab of the Application-level Gateway MC component. Click on New, select Authentication policy from the Policy type combobox, and enter a name for the policy into the Policy textbox.

   

   Figure 15.20. Creating Authentication policies

2. Select the Authentication provider combobox by clicking ... and selecting a provider.

   

   Figure 15.21. Selecting the Authentication provider

3. Select the type of authentication to be used from the Class combobox. The following authentication types are available:

   

   Figure 15.22. Selecting the type of the authentication

   • Inband authentication: Use the built-in authentication of the protocol to authenticate the client on PNS.

   • Authentication Agent: Outband authentication using the Authentication Agent. This method can authenticate any protocol. For agent authentication the following additional parameters have to be set:

     • Certificate: Select the certificate that PNS will show to the Authentication Agent running on the client. The certificate is required because the communication between the Authentication Agent and PNS is SSL-encrypted. The certificate has to be issued by a CA trusted by the Authentication Agent. The process of installing CA certificates for the Authentication Agent is described in Chapter 6, Installing the Authentication Agent (AA) in Proxedo Network Security Suite 2 Installation Guide.

     • Port: The port where PNS accepts connections from the Authentication Agents running on the clients.

     • Timeout: The period of time the client has to complete the authentication after an authentication request is sent by PNS.

   • Server authentication: Enable the client to connect to the target server, and extract its authentication information from the protocol.

4. Configure the authentication cache using the Class combobox of the Authentication cache section. The following options are available:

   

   Figure 15.23. Configuring the authentication cache

   • None: Disable authentication caching. The client has to reauthenticate each time when starting a new service.

   • AuthCache: Store the results of the authentication for the period specified in the Timeout field, that is, after a successful authentication the client can use the service (and start new ones of the same type) for that period. For example, once, being authenticated for an HTTP service, the client can browse the web for Timeout period, but has to authenticate again to use FTP.

     If the Update timeout for each session checkbox is selected, timeout measuring is restarted each time the client starts service. Selecting the Consider all services equivalent checkbox means that PNS does not differentiate between the different services (protocols) used by the client, after a successful authentication he can use all available services without having to reauthenticate himself. For instance, if this option is enabled in the example above, the client does not have to reauthenticate for starting an FTP connection.