About Web access authentication

Microsoft Forefront Threat Management Gateway Web access policy can provide anonymous Internet access or require that internal users authenticate for Web access.

Forefront TMG provides two means of authenticating users making outbound Web proxy requests:

  • Enable a global authentication requirement on a network, so that each Web proxy request must be authenticated.
  • Create access rules that require authentication.

When authentication is required by either of these means, user credentials are validated using the Web proxy authentication method that is configured for the network on which the request is received. The following occurs:

  • If authentication is required on the network and credentials are validated, rules are evaluated to find a rule matching the request. If credentials are denied or not presented, the request is denied and rules are not evaluated.
  • If authentication is required on a specific access rule and credentials are validated, the request is allowed or denied in accordance with the rule.

Requiring Web proxy authentication on a network

To indicate that all Web proxy requests on a specific network must be authenticated, you enable the Require all users to authenticate setting on the Web proxy properties of the network. This setting is only available for internal or perimeter networks. With this setting enabled, no anonymous access is allowed. User credentials are requested and validated before access rules are evaluated. There are a number of issues with this setting:

  • Client computers configured as SecureNAT clients (with a default gateway pointing to Forefront TMG) cannot present credentials and will be denied access when making a Web proxy request.
  • Selecting this setting may block Web proxy requests to sites such as Microsoft Updates that do not support user authentication.
  • For instructions about configuring this setting, see Enabling a network to receive Web proxy requests.

Enabling authentication on access rules

A more granular method of controlling access is to require user authentication for access rules rather than on the network. You create access rules that allow or deny access only to specific users. For example, you can specify that a rule applies to all users who are able to authenticate successfully or to specific users or groups.

Available authentication methods

The following methods are available to authenticate outbound Web proxy requests:

  • Basic. Requests using Basic authentication can be authenticated against Active Directory or a RADIUS server.
  • Digest/WDigest. Requests using Digest or WDigest authentication can be authenticated against Active Directory.
  • Integrated (NTLM). Requests using Integrated authentication can be authenticated against Active Directory.
  • Client certificate. This authentication method is not available to internal clients making Web requests. It is only used for routing Web requests over a secure connection to upstream proxies.
  • Authentication against an LDAP server or SecurID server is not supported for outbound Web proxy requests.

For more information about each authentication method, see Overview of client authentication.