Web authentication

You can use Active Directory SSO or the captive portal to authenticate users. Users will then appear in logging and reporting and will be used as matching criteria in firewall rules and web policies.

Active Directory single sign-on (SSO) attempts to silently authenticate users signed in to endpoint devices with XG Firewall without user interaction.

The captive portal is a web page that requires users behind the firewall to authenticate when attempting to access a website. You can also define the behavior and layout of the captive portal.

Captive portal URL: https://<IP address of XG Firewall>:8090

After authenticating with the captive portal, XG Firewall allows users to proceed to their requested destination or redirects them to a URL that you specify.

To view authenticated users, go to Current activities > Live users.

Authorize unauthenticated users for web access

The settings that you specify here are implemented based on the firewall rules and the web policies for unknown users and authenticated users and user groups.

Firewall rule setting: Use web authentication for unknown users

Behavior

On

For unauthenticated web requests that match the firewall rule, the users will be authenticated.

Off

Unauthenticated requests are allowed. If the requests are blocked due to the web policy, users will be authenticated.

Reason for authentication

AD SSO configured

Behavior

Firewall rule applies.

Yes

When unauthenticated web requests are made, AD SSO attempts to silently authenticate users signed in to endpoint devices. If authentication fails, requests are redirected to the captive portal. Once the users are authenticated, the page is reloaded and the users’ web policy is re-evaluated.

A web policy specified for unknown users or groups applies and is set to Block.

Yes

Firewall rule applies.

No

When unauthenticated web requests are made, the requests are redirected to the captive portal.

Web policy for unknown users or groups is set to Block.

No

When unauthenticated web requests are blocked, a block page is displayed. You can show the captive portal link on the block page.

XG Firewall supports two AD SSO mechanisms, NTLM and Kerberos. Kerberos is faster and more secure than NTLM, but has more prerequisites.

Option

Description

NTLM only

Includes only NTLM in authentication headers. Use this option if you have legacy clients that can’t handle Kerberos headers.

Kerberos & NTLM

Default

Includes both NTLM and Kerberos in authentication headers. Browsers choose which mechanism to use.

Note If Active Directory is configured, you can turn on access to AD SSO from specific network zones, for example, LAN. Go to Administration > Device access and select the zones under Local service ACL.

Captive portal behavior

Specify the captive portal settings.

Show user portal link
Shows the user portal link on the captive portal page.
Show web page after sign-in
Redirects users after authentication to the page they’ve requested or a custom page.
Open web page

Option

Description

In new browser window

Opens the web page in a new browser window. The captive portal page remains open.

In captive portal window

Opens the web page in the current tab, replacing the captive portal page.

Web page

Option

Description

Originally requested by user

Opens the web page originally requested by the users before they were redirected to the captive portal.

Custom

Specify a page to which the users are redirected. For example, open an internal home page after the sign-in.

Sign out user

Option

Description

When captive portal page is closed or redirected

Signs out users when they close the captive portal tab or open another page in its tab.

When user is inactive

Specify the amount of data transfer within a time frame for a user to be considered active.

Never

Users aren’t signed out.

Use insecure HTTP instead of HTTPS
Allows users to access the captive portal through HTTP.
We recommend that you use HTTPS. Transmitting unencrypted passwords over a network poses a severe security risk.
XG Firewall comes with a preinstalled self-signed HTTPS certificate. To prevent browser certificate warnings, you can replace it with a certificate that you’ve generated (and distributed to ensure client trust) or purchased from a certificate authority.

To save changes, select Apply.

Captive portal appearance

You can customize the appearance and content of the captive portal. For example, you can specify your company logo and custom text. Select the Preview button at the bottom to see what the page will look like to users.

Option

Description

Default layout

Uses the default Sophos layout.

Custom HTML

Select to edit the HTML and CSS code. You can also use JavaScript.

The code must contain the following element: <div id="__loginbox"></div>. The system will render the required user input elements in the div element.

Default logo

Uses the Sophos logo.

Custom logo

Select to use your own logo. Upload an image or enter a link to your logo.

Sign-in page header HTML

Enter the text to be shown above the sign-in box. You can use HTML.

Use Header and footer text color to customize the font color.

User prompt

You can change the default text.

Username field label

You can change the label of the username field.

Password field label

You can change the label of the password field.

Sign-in button label

You can change the label of the sign-in button.

Sign-out button label

You can change the label of the sign-out button.

User portal link label

You can change the name of the user portal link.

Sign-in page footer HTML

Enter the text to be shown below the sign-in box. You can use HTML.

Use Header and footer text color to customize the font color.

Background color

You can change the background color of the full page.

Header and footer text color

You can change the font color of the header and the footer. It will be visible only if you’ve specified a header or footer.

Custom logo background color

You can change the background color of the box that contains the logo.

User prompt text color

You can change the font color of the user prompt.

User portal link text color

You can change the font color of the user portal link.

To save the settings, select Apply.

To erase custom settings, select Reset to default.