Revision: 6158 http://ipcop.svn.sourceforge.net/ipcop/?rev=6158&view=rev Author: eoberlander Date: 2011-12-10 18:28:44 +0000 (Sat, 10 Dec 2011) Log Message: ----------- Add Marco's text and screenshots for proxy Windows authentication section.
Modified Paths: -------------- IPCopDoc/trunk/en/admin/xml/proxy.xml Added Paths: ----------- IPCopDoc/trunk/en/admin/images/proxy-windows-all.png IPCopDoc/trunk/en/admin/images/proxy-windows-auth.png IPCopDoc/trunk/en/admin/images/proxy-windows-common.png IPCopDoc/trunk/en/admin/images/proxy-windows-user.png Added: IPCopDoc/trunk/en/admin/images/proxy-windows-all.png =================================================================== (Binary files differ) Property changes on: IPCopDoc/trunk/en/admin/images/proxy-windows-all.png ___________________________________________________________________ Added: svn:mime-type + application/octet-stream Added: IPCopDoc/trunk/en/admin/images/proxy-windows-auth.png =================================================================== (Binary files differ) Property changes on: IPCopDoc/trunk/en/admin/images/proxy-windows-auth.png ___________________________________________________________________ Added: svn:mime-type + application/octet-stream Added: IPCopDoc/trunk/en/admin/images/proxy-windows-common.png =================================================================== (Binary files differ) Property changes on: IPCopDoc/trunk/en/admin/images/proxy-windows-common.png ___________________________________________________________________ Added: svn:mime-type + application/octet-stream Added: IPCopDoc/trunk/en/admin/images/proxy-windows-user.png =================================================================== (Binary files differ) Property changes on: IPCopDoc/trunk/en/admin/images/proxy-windows-user.png ___________________________________________________________________ Added: svn:mime-type + application/octet-stream Modified: IPCopDoc/trunk/en/admin/xml/proxy.xml =================================================================== --- IPCopDoc/trunk/en/admin/xml/proxy.xml 2011-12-10 09:43:10 UTC (rev 6157) +++ IPCopDoc/trunk/en/admin/xml/proxy.xml 2011-12-10 18:28:44 UTC (rev 6158) @@ -70,16 +70,395 @@ <sect2 id="proxy-auth-windows"> <title>Windows Authentication</title> - <para> - Content to be written... - </para> + <para> + This authentication method is a preferred solution for small and + medium network environments. + Users will have to authenticate when accessing web sites. + The credentials are verified against an external Server acting as + a Domain Controller. + This can be a: + </para> + <itemizedlist> + <listitem> + <para> + Windows NT 4.0 Server or Windows 2000/2003/2008 Server + (even with Active Directory enabled). + </para> + </listitem> + <listitem> + <para> + Samba 2.x / 3.x Server (running as Domain Controller). + </para> + </listitem> + </itemizedlist> + <para> + Advanced Proxy works with Windows integrated authentication + (transparent) or with standard authentication (explicit + with username and password). + </para> + <para> + <mediaobject> + <imageobject role="fo"> + <imagedata fileref="&imagepath;proxy-windows-all.&imageext;" + format="PNG" + contentwidth="14cm"/> + </imageobject> + <imageobject role="html"> + <imagedata fileref="&imagepath;proxy-windows-all.&imageext;" format="PNG" align="center"/> + </imageobject> + <textobject> + <phrase>Windows Authentication</phrase> + </textobject> + </mediaobject> + </para> + <para> + You can maintain lists with authorized user names (whitelist) or + unauthorized user names (blacklist). + </para> + <note> + <para> + Workgroup based authentication may probably work, but is + neither recommended nor supported. + </para> + </note> + + <sect3 id="proxy-auth-windows-global"> + <title>Global authentication settings</title> + <para> + <mediaobject> + <imageobject role="fo"> + <imagedata fileref="&imagepath;proxy-global-settings.&imageext;" + format="PNG" + contentwidth="14cm"/> + </imageobject> + <imageobject role="html"> + <imagedata fileref="&imagepath;proxy-global-settings.&imageext;" format="PNG" align="center"/> + </imageobject> + <textobject> + <phrase>Global authentication settings section</phrase> + </textobject> + </mediaobject> + </para> + <formalpara> + <title><guilabel>Number of authentication processes</guilabel></title> + <para> + The number of background processes listening for requests. + The default value is 5 and should be increased if authentication + takes too long or Windows integrated authentication falls back + to explicit authentication. + </para> + </formalpara> + <formalpara> + <title><guilabel>Authentication cache TTL</guilabel></title> + <para> + Duration in minutes how long credentials will be cached for + each single session. + If this time expires, the user has to re-enter the credentials + for this session. + The default is set to 60 minutes, the minimum will be 1 minute. + The TTL will always be reset when the user sends a new request + to the Proxy Server within a session. + </para> + </formalpara> + <note> + <para> + If the user opens a new session, the credentials must always + be entered, even if the TTL has not expired for another session. + </para> + </note> + <formalpara> + <title><guilabel>Limit of IP addresses per user</guilabel> (optional)</title> + <para> + Number of source IP addresses a user can be logged in at one + time. + The IP address will be released after the time defined at + <emphasis>User/IP cache TTL</emphasis>. + </para> + </formalpara> + <note> + <para> + This takes no effect if running Local authentication and the + user is a member of the <quote>Extended</quote> group. + </para> + </note> + <formalpara> + <title><guilabel>User/IP cache TTL</guilabel></title> + <para> + Duration in minutes, how long relations between each user name + and the used IP address will be cached. + The default value is 0 (disabled). + </para> + </formalpara> + <para> + A value greater than 0 is only reasonable while using a limit for + concurrent IP addresses per user. + </para> + <formalpara> + <title><guilabel>Require authentication for unrestricted source addresses</guilabel></title> + <para> + By default authentication is required even for unrestricted IP + addresses. + If you don't want to require authentication for these + addresses, untick this box. + </para> + </formalpara> + <formalpara> + <title><guilabel>Authentication realm prompt</guilabel></title> + <para> + This text will be shown in the authentication dialog. + The default is <quote>IPCop Advanced Proxy Server</quote>. + </para> + </formalpara> + <formalpara> + <title><guilabel>Destinations without authentication</guilabel></title> + <para> + This allows you to define a list of destinations that can be + accessed without authentication. + </para> + </formalpara> + <note> + <para> + Any domains listed here are destination DNS domains and not + source Windows NT domains. + </para> + </note> + <para> + Examples: + </para> + <para> + Entire domains and subdomains + </para> + <screen><computeroutput>*.example.net +*.google.com</computeroutput></screen> + <para> + Single hosts + </para> + <screen><computeroutput>www.example.net +www.google.com</computeroutput></screen> + <para> + IP addresses + </para> + <screen><computeroutput>81.169.145.75 +74.125.39.103</computeroutput></screen> + <para> + URLs + </para> + <screen><computeroutput>www.example.net/download +www.google.com/images</computeroutput></screen> + <note> + <para> + You can enter all of these destination types in any order. + </para> + </note> + <para> + Example for Windows Update. + </para> + <para> + To allow access to Windows Update without authentication add these + destinations to the list: + </para> + <screen><computeroutput>*.download.microsoft.com +*.windowsupdate.com +windowsupdate.microsoft.com</computeroutput></screen> + </sect3> + + <sect3 id="proxy-auth-windows-common"> + <title>Common domain settings</title> + <para> + <mediaobject> + <imageobject role="fo"> + <imagedata fileref="&imagepath;proxy-windows-common.&imageext;" + format="PNG" + contentwidth="14cm"/> + </imageobject> + <imageobject role="html"> + <imagedata fileref="&imagepath;proxy-windows-common.&imageext;" format="PNG" align="center"/> + </imageobject> + <textobject> + <phrase>Common domain settings section</phrase> + </textobject> + </mediaobject> + </para> + <formalpara> + <title><guilabel>Domain</guilabel></title> + <para> + Enter the name of the domain you want to use for authentication. + If you are running a Windows 2000 or Windows 2003 Active + Directory, you'll have to enter the NetBIOS domain name. + </para> + </formalpara> + <formalpara> + <title><guilabel>PDC hostname</guilabel></title> + <para> + Enter the NetBIOS hostname of the Primary Domain Controller + here. + If you are running a Windows 2000 or Windows 2003 Active + Directory, you can enter the name of any Domain Controller. + </para> + </formalpara> + <note> + <para> + For Windows 2000 and above the Primary Domain Controller is not + assigned to a specific server. + The Active Directory PDC emulator is a logical role and can be + assigned to any server. + </para> + </note> + <important> + <para> + The PDC hostname must be resolvable for IPCop. + This can be done by adding the hostname at + <link linkend="services-hosts">Services > Edit Hosts</link> + (recommended) or by editing the file + <filename>/etc/hosts</filename> directly. + </para> + </important> + <formalpara> + <title><guilabel>BDC hostname</guilabel> (optional)</title> + <para> + Enter the NetBIOS hostname of the Backup Domain Controller here. + If you are running a Windows 2000 or Windows 2003 Active + Directory, you can enter the name of any Domain Controller. + If the PDC doesn't respond to authentication requests, + the authentication process will ask the BDC instead. + </para> + </formalpara> + <important> + <para> + The BDC hostname must be resolvable for IPCop. + This can be done by adding the hostname at + <link linkend="services-hosts">Services > Edit Hosts</link> + (recommended) or by editing the file + <filename>/etc/hosts</filename> directly. + </para> + </important> + </sect3> + + <sect3 id="proxy-auth-windows-auth"> + <title>Authentication mode</title> + <para> + <mediaobject> + <imageobject role="fo"> + <imagedata fileref="&imagepath;proxy-windows-auth.&imageext;" + format="PNG" + contentwidth="14cm"/> + </imageobject> + <imageobject role="html"> + <imagedata fileref="&imagepath;proxy-windows-auth.&imageext;" format="PNG" align="center"/> + </imageobject> + <textobject> + <phrase>Authentication mode section</phrase> + </textobject> + </mediaobject> + </para> + <formalpara> + <title><guilabel>Enable Windows integrated authentication</guilabel></title> + <para> + If enabled, the user will not be asked for a username and + password. + The credentials of the currently logged in user will + automatically be used for authentication. + This option is enabled by default. + </para> + </formalpara> + <para> + If integrated authentication is disabled, + the user will be requested explicitly for a username and password. + </para> + </sect3> + + <sect3 id="proxy-auth-windows-user"> + <title>User based access restrictions</title> + <para> + <mediaobject> + <imageobject role="fo"> + <imagedata fileref="&imagepath;proxy-windows-user.&imageext;" + format="PNG" + contentwidth="14cm"/> + </imageobject> + <imageobject role="html"> + <imagedata fileref="&imagepath;proxy-windows-user.&imageext;" format="PNG" align="center"/> + </imageobject> + <textobject> + <phrase>User based access restrictions section</phrase> + </textobject> + </mediaobject> + </para> + <formalpara> + <title><guilabel>Enabled</guilabel></title> + <para> + Enables access control lists for authorized or unauthorized + users. + </para> + </formalpara> + <formalpara> + <title><guilabel>Use positive access control / Authorized domain users</guilabel></title> + <para> + The users listed here will be allowed web access. + For all other users, access will be denied. + </para> + </formalpara> + <formalpara> + <title><guilabel>Use negative access control / Unauthorized domain users</guilabel></title> + <para> + The listed users will be blocked from web access. + For all other users, access will be allowed. + </para> + </formalpara> + <note> + <para> + If Windows integrated authentication is enabled, + the username must be entered with the domain name as + a prefix for the username, separated by a backslash. + </para> + </note> + <para> + Example for user based access control lists using integrated + authentication: + </para> + <screen><computeroutput>domain\administrator +domain\bruno +domain\jane +domain\maria +domain\paul +domain\steve</computeroutput></screen> + <note> + <para> + When using integrated authentication, the user must be logged + in to the domain, + otherwise the name of the local workstation, instead of the + domain name, will be added to the username. + </para> + </note> + <para> + Example for user based access control lists using explicit + authentication: + </para> + <screen><computeroutput>administrator +bruno +jane +maria +paul +steve</computeroutput></screen> + <note> + <para> + Explicit authentication grants access to the user, + even though the user is not logged in to the domain, + as long as the username will be the same and the + local workstation password and the domain password does match. + </para> + </note> + </sect3> + </sect2> <sect2 id="proxy-auth-radius"> <title>RADIUS Authentication</title> <para> - This authentication method uses an existing RADIUS server for user - authentication. + This authentication method is a preferred solution for small and + medium network environments. + Users will have to authenticate when accessing web sites. + The credentials are verified against an external RADIUS server. </para> <para> <mediaobject> @@ -97,8 +476,8 @@ </mediaobject> </para> <para> - In addition to authentication you can define positive or - negative user based access control lists. + In addition to authentication you can define positive (whitelist) or + negative (blacklist) user based access control lists. </para> <sect3 id="proxy-auth-radius-global"> This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. ------------------------------------------------------------------------------ Learn Windows Azure Live! Tuesday, Dec 13, 2011 Microsoft is holding a special Learn Windows Azure training event for developers. It will provide a great way to learn Windows Azure and what it provides. You can attend the event by watching it streamed LIVE online. Learn more at http://p.sf.net/sfu/ms-windowsazure _______________________________________________ Ipcop-svn mailing list Ipcop-svn@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ipcop-svn