Web authentication
You can use Active Directory SSO or the captive portal to authenticate users. Users will then appear in logging and reporting and will be used as matching criteria in firewall rules and web policies.
Active Directory single sign-on (SSO) attempts to silently authenticate users signed in to endpoint devices with XG Firewall without user interaction.
The captive portal is a web page that requires users behind the firewall to authenticate when attempting to access a website. You can also define the behavior and layout of the captive portal.
Captive portal URL: https://<IP address of XG Firewall>:8090
After authenticating with the captive portal, XG Firewall allows users to proceed to their requested destination or redirects them to a URL that you specify.
To view authenticated users, go to
.Authorize unauthenticated users for web access
The settings that you specify here are implemented based on the firewall rules and the web policies for unknown users and authenticated users and user groups.
Firewall rule setting: Use web authentication for unknown users |
Behavior |
---|---|
On |
For unauthenticated web requests that match the firewall rule, the users will be authenticated. |
Off |
Unauthenticated requests are allowed. If the requests are blocked due to the web policy, users will be authenticated. |
Reason for authentication |
AD SSO configured |
Behavior |
---|---|---|
Firewall rule applies. |
Yes |
When unauthenticated web requests are made, AD SSO attempts to silently authenticate users signed in to endpoint devices. If authentication fails, requests are redirected to the captive portal. Once the users are authenticated, the page is reloaded and the users’ web policy is re-evaluated. |
A web policy specified for unknown users or groups applies and is set to Block. |
Yes |
|
Firewall rule applies. |
No |
When unauthenticated web requests are made, the requests are redirected to the captive portal. |
Web policy for unknown users or groups is set to Block. |
No |
When unauthenticated web requests are blocked, a block page is displayed. You can show the captive portal link on the block page. |
XG Firewall supports two AD SSO mechanisms, NTLM and Kerberos. Kerberos is faster and more secure than NTLM, but has more prerequisites.
Option |
Description |
---|---|
NTLM only |
Includes only NTLM in authentication headers. Use this option if you have legacy clients that can’t handle Kerberos headers. |
Kerberos & NTLM |
Default Includes both NTLM and Kerberos in authentication headers. Browsers choose which mechanism to use. |
Captive portal behavior
Specify the captive portal settings.
- Show user portal link
- Shows the user portal link on the captive portal page.
- Show web page after sign-in
- Redirects users after authentication to the page they’ve requested or a custom page.
- Open web page
-
Option
Description
In new browser window
Opens the web page in a new browser window. The captive portal page remains open.
In captive portal window
Opens the web page in the current tab, replacing the captive portal page.
- Web page
-
Option
Description
Originally requested by user
Opens the web page originally requested by the users before they were redirected to the captive portal.
Custom Specify a page to which the users are redirected. For example, open an internal home page after the sign-in.
- Sign out user
-
Option
Description
When captive portal page is closed or redirected Signs out users when they close the captive portal tab or open another page in its tab.
When user is inactive Specify the amount of data transfer within a time frame for a user to be considered active.
Never Users aren’t signed out.
- Use insecure HTTP instead of HTTPS
- Allows users to access the captive portal through HTTP.
To save changes, select Apply.
Captive portal appearance
You can customize the appearance and content of the captive portal. For example, you can specify your company logo and custom text. Select the Preview button at the bottom to see what the page will look like to users.
Option |
Description |
---|---|
Default layout |
Uses the default Sophos layout. |
Custom HTML |
Select to edit the HTML and CSS code. You can also use JavaScript. The code must contain the following element: |
Default logo |
Uses the Sophos logo. |
Custom logo |
Select to use your own logo. Upload an image or enter a link to your logo. |
Sign-in page header HTML |
Enter the text to be shown above the sign-in box. You can use HTML. Use Header and footer text color to customize the font color. |
User prompt |
You can change the default text. |
Username field label |
You can change the label of the username field. |
Password field label |
You can change the label of the password field. |
Sign-in button label |
You can change the label of the sign-in button. |
Sign-out button label |
You can change the label of the sign-out button. |
User portal link label |
You can change the name of the user portal link. |
Sign-in page footer HTML |
Enter the text to be shown below the sign-in box. You can use HTML. Use Header and footer text color to customize the font color. |
Background color |
You can change the background color of the full page. |
Header and footer text color |
You can change the font color of the header and the footer. It will be visible only if you’ve specified a header or footer. |
Custom logo background color |
You can change the background color of the box that contains the logo. |
User prompt text color |
You can change the font color of the user prompt. |
User portal link text color |
You can change the font color of the user portal link. |
To save the settings, select Apply.
To erase custom settings, select Reset to default.