Selecting Identity Sources

Logging and auditing with basic enforcement

AD Query.

Logging and auditing only

AD Query.

Application Control

AD Query and Browser-Based Authentication.

The AD Query finds all AD users and computers.

The Browser-Based Authentication identity source is necessary to include all non-Windows users. It also serves as a fallback option, if AD Query cannot identify a user.

If you configure Transparent Kerberos Authentication, then the browser attempts to authenticate users transparently by getting identity information before the Captive Portal username/password page is shown to the user.

Data Center, or internal server protection

The options are:

• AD Query and Browser-Based Authentication - When most users are desktop users (not remote users) and easy deployment is important.

  Note - You can add Endpoint Identity Agents if you have mobile users and have users that are not identified by AD Query. Users that are not identified encounter redirects to the Captive Portal.

• Endpoint Identity Agents and Browser-Based Authentication - When a high level of security is necessary. The Captive Portal is used for distributing the Endpoint Identity Agent. IP Spoofing protection can be set to prevent packets from being IP spoofed.

Terminal Servers and Citrix environments

Terminal Servers.

Requires you to install the Terminal Servers Endpoint Identity Agent on each Terminal Server.

Users that access the organization through VPN

Remote Access.

Lets you identify Mobile Access and IPsec VPN clients that work in Office Mode.

Environment that use a RADIUS server for authentication

RADIUS Accounting.

Make sure that you configure the Security Gateway as a RADIUS Accounting client and give it access permissions and a shared secret.