15.3.2.2. Procedure – Configuring Zorp Authentication policies

1. Create an Authentication policy on the Policies tab of the Zorp ZMC component. Click on New, select Authentication policy from the Policy type combobox, and enter a name for the policy into the Policy textbox.

   

   Figure 15.21. Creating Authentication policies

2. Select the Authentication provider combobox by clicking ... and selecting a provider.

   

   Figure 15.22. Selecting the Authentication provider

3. Select the type of authentication to be used from the Class combobox. The following authentication types are available:

   

   Figure 15.23. Selecting the type of the authentication

   • Inband authentication: Use the built-in authentication of the protocol to authenticate the client on Zorp.

   • ZAAuthentication: (Also called Satyr authentication in previous versions). Outband authentication using the Zorp Authentication Agent. This method can authenticate any protocol. For agent authentication the following additional parameters have to be set:

     • Certificate: Select the certificate that Zorp will show to the authentication agent running on the client. The certificate is required because the communication between the authentication agent and Zorp is SSL-encrypted. The certificate has to be issued by a CA trusted by the authentication agent. The process of installing CA certificates for the authentication agent is described in Chapter 6, Installing the Zorp Authentication Agent (ZAA) in Zorp Professional 7 Installation Guide.

     • Port: The port where Zorp accepts connections from the authentication agents running on the clients.

     • Timeout: The period of time the client has to complete the authentication after an authentication request is sent by Zorp.

   • Server authentication: Enable the client to connect to the target server, and extract its authentication information from the protocol.

4. Configure the authentication cache using the Class combobox of the Authentication cache section. The following options are available:

   

   Figure 15.24. Configuring the authentication cache

   • None: Disable authentication caching. The client has to reauthenticate each time when starting a new service.

   • AuthCache: Store the results of the authentication for the period specified in the Timeout field, that is, after a successful authentication the client can use the service (and start new ones of the same type) for that period. For example, once, being authenticated for an HTTP service, the client can browse the web for Timeout period, but has to authenticate again to use FTP.

     If the Update timeout for each session checkbox is selected, timeout measuring is restarted each time the client starts service. Selecting the Consider all services equivalent checkbox means that Zorp does not differentiate between the different services (protocols) used by the client, after a successful authentication he can use all available services without having to reauthenticate himself. For instance, if this option is enabled in the example above, the client does not have to reauthenticate for starting an FTP connection.