Authenticating Desktop Web Proxy User Credentials

Web Security Service must identify the user's name to check credentials and associate the user with the correct web filtering group. To configure an environment that supports Desktop Web Proxy (DWP), we recommend using LDAP synchronization and DWP's automatic user creation feature. Both methods ensure that the user's computer and the Web Security Service are synchronized and able to service the requests from the DWP for user credentials.

Enabling Automatic User creation

If you cannot access your LDAP directory from the Web Security Service or you do not have an LDAP interface, you can use automatic user account creation.

To enable automatic user creation:

• Log in to the Web Security Service Management Portal.
• Open the Accounts page and click Edit.
• Verify that the setting Enable DWP User Creation is enabled. If not, select it.


The DWP creates user names on the service when the user accesses the Web. Users must belong to a group, so new DWP users are created in the Default User Group. You can use the Management Portal to reassign users to other policy-based groups later.

Synchronizing With LDAP

If you use LDAP synchronization to add users to the Web Security Service, the new user names always match the Windows user names. The DWP identifies the Windows user name of the locally logged-on user, then requests the Web Security Service for that user's credentials. Set up one or more LDAP-enabled groups on the Web Security Service that synchronizes in the appropriate sAMAccountNames from your environment into the relevant groups. See the Web Security Service Administrator Guide for details on LDAP-enabled groups.

Users added from LDAP initially have a Pending Activation status on the Users page. After new users connect via DWP while inside the corporate network, the user status changes to Active.

Setting Credentials for Mobile Users

Mobile users' credentials are usually created automatically if the users first access the web within the corporate network. Mobile users whose first access is outside the corporate network enter a system-generated Authentication Code into the DWP client. The Web Security Service generates an Authentication Code for each user group.

To use the authentication code:

• Log in to the Web Security Service Management Portal.
• Open the Accounts > General Information tab and confirm that the Account is enabled for DWP user creation.

• Open the Groups tab.
• Locate the user group to which the mobile user belongs and click its Edit link.
  The General Information subtab displays.
• Authentication subtab.
• Verify that Allow Mobile User Access is enabled.

• Open the DWP Configuration subtab.
  • Verify that the DWP icon is not hidden on the users' system tray. If you need to clear this checkbox but it is not editable, select Use Group Settings first.
  

  The Hide Icon setting applies to all DWP users in the group. You can disable this setting again later. Hiding the icon from the end user prevents the user from entering client-specific settings.

  • Make note of the read-only Authentication Code; for example:
  
• Communicate with the mobile user by doing the following:
  • Provide the authentication code from the DWP Configuration tab.
  • Ask the user to right-click on the DWP icon on the system tray and select Credentials from the menu. In the Authentication Details dialog, type the provided authentication code in the box as shown.

  Note: Do not let the user change the other settings in Authentication Details. If the user is already registered on the Web Security Service and Automatic User Name Resolution is enabled on the Management Portal, the stored credentials will be used to authenticate the user. If Automatic User Name Resolution is not enabled and the name and password are changed here, the user will be blocked from Internet access.