Views:
Companies that have Active Directories or Okta integrated with TMWS can make use of transparent authentication to confirm that HTTP requests through administrator-configured Internet gateways are initiated by Active Directory users.
Note
Note
Even if Transparent authentication is selected here, the TMWS logon screen and the third-party authentication screen may still appear when users access websites.
The TMWS logon screen and the third-party authentication screen do not appear only when full transparent authentication is enabled. However, full transparent authentication can be enabled only when Direct, AD FS, or Agent is selected as the authentication method.
TMWS performs transparent authentication through the NTLM protocol.
Transparent Authentication Requirements:
To enable transparent authentication, the following requirements must be satisfied:
Requirement
Details
Administrators must enable AD FS, Direct, Agent, Azure AD, Okta, or Google authentication.
  1. Enable Active Directory authentication in AdministrationUSERS & AUTHENTICATIONDirectory Services.
  2. Select AD FS, Direct, Agent, Azure AD, Okta, or Google as the authentication method, and configure all necessary settings. For more information, see Directory Services.
Administrators must enable transparent authentication for each Internet gateway.
  1. Configure Internet gateways in Gateways .
  2. On the Authentication tab, select Transparent authentication.
  3. (Optional) Configure options for the guest user account to:
    • Allow users without an Active Directory account (such as partners and contractors) to log on using the guest user account.
    • Automatically log on users using the guest user account if transparent authentication is unsuccessful.
  4. (Optional) Select the option to allow traffic through port 8081.
Users must initiate HTTP requests from supported desktop browsers.
Supported desktop browsers:
  • Google Chrome 55 or later
  • Mozilla Firefox 50.0.1 or later
  • Microsoft Edge 83 or later
Mobile browsers and non-browser HTTP requests are not supported.
To enable full transparent authentication, perform the following in addition to the requirements above:
  • Select Direct, AD FS, or Agent as the authentication method.
  • Specify the default authentication domain.
  • Add the client computer to the AD server domain.
  • Change the authentication method to Windows Authentication on the AD server.
    Note
    Note
    This requirement applies only when AD FS is selected as the authentication method.
    • If the AD server runs on Windows Server 2012, perform the following steps to change the authentication method:
      1. Log on to the Windows server.
      2. Go to StartAll ProgramsAdministrative Tools to open the AD FS management console.
      3. On the AD FS screen, click Authentication Policies from the left navigation.
      4. On the Authentication Policies screen, click Edit in the Global Settings section under Primary Authentication.
      5. On the Edit Global Authentication Policy screen, select Windows Authentication under Intranet and click OK.
    • If the AD server runs on Windows Server 2016, Windows Server 2019, or Windows Server 2022, perform the following steps to change the authentication method:
      1. Log on to the Windows server.
      2. Go to StartAll ProgramsAdministrative Tools to open the AD FS management console.
      3. Select AD FSServiceAuthentication Methods in the left navigation and click Edit Primary Authentication Methods... under the Actions area on the right.
      4. On the Primary tab, ensure that Windows Authentication is enabled under Intranet and then click OK.
  • Perform the following steps based on the browser that you are using.
    Note
    Note
    This requirement applies only when AD FS is selected as the authentication method.
    • If you are using Microsoft Internet Explore, Microsoft Edge, or Google Chrome, add the AD FS server address to your Intranet.
    • If you are using Mozilla Firefox, perform the following steps:
      1. Open Firefox, type about:config in the address bar, and then click I accept the risk!.
      2. Type network.automatic in the search box and double-click network.automatic-ntlm-auth.trusted-uris.
      3. Type http://www.replacewithyoursite.com or http://your-intranet-server-name and click OK.
Additional Information:
  • If the user logs on to the host computer using a valid Active Directory account:
    • Authentication of HTTP requests sent by a known user (a user who sends requests from an administrator-configured Internet gateway) follows the AD authentication method settings in Directory Services.
    • Authentication of HTTP requests sent by a roaming user (a user who sends requests from an unrecognized gateway) requires the user's Active Directory user name.
  • If the user logs on to the host computer using another account or from an unrecognized gateway, authentication of HTTP requests requires the user's Active Directory or guest user logon credentials.
  • If authentication was successful, TMWS handles the HTTP request and also issues a cookie to skip the authentication process in future requests.
  • TMWS can also perform transparent authentication on HTTPS requests. The authentication process depends on whether HTTPS decryption is enabled or disabled in PoliciesGlobal SettingsHTTPS Inspection.
  • If authentication was unsuccessful, TMWS handles the HTTP request immediately. If automatic logon using the guest user account is enabled or the guest user account was used, TMWS allows the user to log on as a guest.