Revision: 6158
          http://ipcop.svn.sourceforge.net/ipcop/?rev=6158&view=rev
Author:   eoberlander
Date:     2011-12-10 18:28:44 +0000 (Sat, 10 Dec 2011)
Log Message:
-----------
Add Marco's text and screenshots for proxy Windows authentication section.

Modified Paths:
--------------
    IPCopDoc/trunk/en/admin/xml/proxy.xml

Added Paths:
-----------
    IPCopDoc/trunk/en/admin/images/proxy-windows-all.png
    IPCopDoc/trunk/en/admin/images/proxy-windows-auth.png
    IPCopDoc/trunk/en/admin/images/proxy-windows-common.png
    IPCopDoc/trunk/en/admin/images/proxy-windows-user.png

Added: IPCopDoc/trunk/en/admin/images/proxy-windows-all.png
===================================================================
(Binary files differ)


Property changes on: IPCopDoc/trunk/en/admin/images/proxy-windows-all.png
___________________________________________________________________
Added: svn:mime-type
   + application/octet-stream

Added: IPCopDoc/trunk/en/admin/images/proxy-windows-auth.png
===================================================================
(Binary files differ)


Property changes on: IPCopDoc/trunk/en/admin/images/proxy-windows-auth.png
___________________________________________________________________
Added: svn:mime-type
   + application/octet-stream

Added: IPCopDoc/trunk/en/admin/images/proxy-windows-common.png
===================================================================
(Binary files differ)


Property changes on: IPCopDoc/trunk/en/admin/images/proxy-windows-common.png
___________________________________________________________________
Added: svn:mime-type
   + application/octet-stream

Added: IPCopDoc/trunk/en/admin/images/proxy-windows-user.png
===================================================================
(Binary files differ)


Property changes on: IPCopDoc/trunk/en/admin/images/proxy-windows-user.png
___________________________________________________________________
Added: svn:mime-type
   + application/octet-stream

Modified: IPCopDoc/trunk/en/admin/xml/proxy.xml
===================================================================
--- IPCopDoc/trunk/en/admin/xml/proxy.xml       2011-12-10 09:43:10 UTC (rev 
6157)
+++ IPCopDoc/trunk/en/admin/xml/proxy.xml       2011-12-10 18:28:44 UTC (rev 
6158)
@@ -70,16 +70,395 @@
 
     <sect2 id="proxy-auth-windows">
     <title>Windows Authentication</title>
-    <para>
-        Content to be written...
-    </para>
+        <para>
+            This authentication method is a preferred solution for small and 
+            medium network environments.
+            Users will have to authenticate when accessing web sites. 
+            The credentials are verified against an external Server acting as 
+            a Domain Controller. 
+            This can be a:
+        </para>
+        <itemizedlist>
+            <listitem>
+                <para>
+                    Windows NT 4.0 Server or Windows 2000/2003/2008 Server 
+                    (even with Active Directory enabled).
+                </para>
+            </listitem>
+            <listitem> 
+                <para>
+                    Samba 2.x / 3.x Server (running as Domain Controller).
+                </para>
+            </listitem>
+        </itemizedlist>
+        <para>
+            Advanced Proxy works with Windows integrated authentication 
+            (transparent) or with standard authentication (explicit 
+            with username and password).
+        </para>
+        <para>
+        <mediaobject>
+            <imageobject role="fo">
+                <imagedata fileref="&imagepath;proxy-windows-all.&imageext;"
+                                   format="PNG"
+                                   contentwidth="14cm"/>
+            </imageobject>
+            <imageobject role="html">
+                <imagedata fileref="&imagepath;proxy-windows-all.&imageext;" 
format="PNG" align="center"/>
+            </imageobject>
+            <textobject>
+                <phrase>Windows Authentication</phrase>
+            </textobject>
+        </mediaobject>
+        </para>
+        <para>
+            You can maintain lists with authorized user names (whitelist) or 
+            unauthorized user names (blacklist).
+        </para>
+        <note>
+            <para>            
+                Workgroup based authentication may probably work, but is 
+                neither recommended nor supported.
+            </para>
+        </note>
+
+    <sect3 id="proxy-auth-windows-global">
+    <title>Global authentication settings</title>
+        <para>
+        <mediaobject>
+            <imageobject role="fo">
+                <imagedata 
fileref="&imagepath;proxy-global-settings.&imageext;"
+                                   format="PNG"
+                                   contentwidth="14cm"/>
+            </imageobject>
+            <imageobject role="html">
+                <imagedata 
fileref="&imagepath;proxy-global-settings.&imageext;" format="PNG" 
align="center"/>
+            </imageobject>
+            <textobject>
+                <phrase>Global authentication settings section</phrase>
+            </textobject>
+        </mediaobject>
+        </para>
+        <formalpara>
+            <title><guilabel>Number of authentication 
processes</guilabel></title>
+            <para>
+                The number of background processes listening for requests.
+                The default value is 5 and should be increased if 
authentication
+                takes too long or Windows integrated authentication falls back 
+                to explicit authentication.
+            </para>
+        </formalpara>
+        <formalpara>
+            <title><guilabel>Authentication cache TTL</guilabel></title>
+            <para>
+                Duration in minutes how long credentials will be cached for 
+                each single session.
+                If this time expires, the user has to re-enter the credentials
+                for this session. 
+                The default is set to 60 minutes, the minimum will be 1 minute.
+                The TTL will always be reset when the user sends a new request 
+                to the Proxy Server within a session.
+            </para>
+        </formalpara>
+        <note>
+            <para>
+                If the user opens a new session, the credentials must always 
+                be entered, even if the TTL has not expired for another 
session.
+            </para>
+        </note>
+        <formalpara>
+            <title><guilabel>Limit of IP addresses per user</guilabel> 
(optional)</title>
+            <para>
+                Number of source IP addresses a user can be logged in at one 
+                time.
+                The IP address will be released after the time defined at 
+                <emphasis>User/IP cache TTL</emphasis>.
+            </para>
+        </formalpara>
+        <note>
+            <para>
+                This takes no effect if running Local authentication and the 
+                user is a member of the <quote>Extended</quote> group.
+            </para>
+        </note>
+        <formalpara>
+            <title><guilabel>User/IP cache TTL</guilabel></title>
+            <para>
+                Duration in minutes, how long relations between each user name 
+                and the used IP address will be cached. 
+                The default value is 0 (disabled).
+            </para>
+        </formalpara>
+        <para>
+            A value greater than 0 is only reasonable while using a limit for 
+            concurrent IP addresses per user.
+        </para>    
+        <formalpara>
+            <title><guilabel>Require authentication for unrestricted source 
addresses</guilabel></title>
+            <para>
+                By default authentication is required even for unrestricted IP 
+                addresses. 
+                If you don&apos;t want to require authentication for these 
+                addresses, untick this box.
+            </para>
+        </formalpara>
+        <formalpara>
+            <title><guilabel>Authentication realm prompt</guilabel></title>
+            <para>
+                This text will be shown in the authentication dialog. 
+                The default is <quote>IPCop Advanced Proxy Server</quote>.
+            </para>
+        </formalpara>
+        <formalpara>
+            <title><guilabel>Destinations without 
authentication</guilabel></title>
+            <para>
+                This allows you to define a list of destinations that can be 
+                accessed without authentication.
+            </para>
+        </formalpara>
+        <note>
+            <para>
+                Any domains listed here are destination DNS domains and not 
+                source Windows NT domains.
+            </para>
+        </note>
+        <para>
+            Examples:
+        </para>
+        <para>
+            Entire domains and subdomains
+        </para>        
+            <screen><computeroutput>*.example.net
+*.google.com</computeroutput></screen>
+        <para>
+            Single hosts
+        </para>        
+            <screen><computeroutput>www.example.net
+www.google.com</computeroutput></screen>
+        <para>
+            IP addresses
+        </para>        
+            <screen><computeroutput>81.169.145.75
+74.125.39.103</computeroutput></screen>
+        <para>
+            URLs
+        </para>        
+            <screen><computeroutput>www.example.net/download
+www.google.com/images</computeroutput></screen>
+        <note>
+            <para>
+                You can enter all of these destination types in any order.
+            </para>
+        </note>
+        <para>
+            Example for Windows Update.
+        </para>
+        <para>
+            To allow access to Windows Update without authentication add these 
+            destinations to the list:
+        </para>        
+            <screen><computeroutput>*.download.microsoft.com
+*.windowsupdate.com
+windowsupdate.microsoft.com</computeroutput></screen>
+    </sect3>
+
+    <sect3 id="proxy-auth-windows-common">
+    <title>Common domain settings</title>
+        <para>
+        <mediaobject>
+            <imageobject role="fo">
+                <imagedata fileref="&imagepath;proxy-windows-common.&imageext;"
+                                   format="PNG"
+                                   contentwidth="14cm"/>
+            </imageobject>
+            <imageobject role="html">
+                <imagedata 
fileref="&imagepath;proxy-windows-common.&imageext;" format="PNG" 
align="center"/>
+            </imageobject>
+            <textobject>
+                <phrase>Common domain settings section</phrase>
+            </textobject>
+        </mediaobject>
+        </para>
+        <formalpara>
+            <title><guilabel>Domain</guilabel></title>
+            <para>
+                Enter the name of the domain you want to use for 
authentication.
+                If you are running a Windows 2000 or Windows 2003 Active 
+                Directory, you&apos;ll have to enter the NetBIOS domain name.
+            </para>
+        </formalpara>   
+        <formalpara>
+            <title><guilabel>PDC hostname</guilabel></title>
+            <para>
+                Enter the NetBIOS hostname of the Primary Domain Controller 
+                here. 
+                If you are running a Windows 2000 or Windows 2003 Active 
+                Directory, you can enter the name of any Domain Controller.
+            </para>
+        </formalpara>
+        <note>
+            <para>
+                For Windows 2000 and above the Primary Domain Controller is 
not 
+                assigned to a specific server. 
+                The Active Directory PDC emulator is a logical role and can be 
+                assigned to any server.
+            </para>
+        </note>
+        <important>
+            <para>
+                The PDC hostname must be resolvable for IPCop.
+                This can be done by adding the hostname at 
+                <link linkend="services-hosts">Services > Edit Hosts</link>
+                (recommended) or by editing the file 
+                <filename>/etc/hosts</filename> directly.
+            </para>
+        </important>
+        <formalpara>
+            <title><guilabel>BDC hostname</guilabel> (optional)</title>
+            <para>
+                Enter the NetBIOS hostname of the Backup Domain Controller 
here.
+                If you are running a Windows 2000 or Windows 2003 Active 
+                Directory, you can enter the name of any Domain Controller.
+                If the PDC doesn&apos;t respond to authentication requests, 
+                the authentication process will ask the BDC instead.
+            </para>
+        </formalpara>
+        <important>
+            <para>
+                The BDC hostname must be resolvable for IPCop.
+                This can be done by adding the hostname at 
+                 <link linkend="services-hosts">Services > Edit Hosts</link>
+                (recommended) or by editing the file 
+                <filename>/etc/hosts</filename> directly.
+            </para>
+        </important>       
+    </sect3>
+
+    <sect3 id="proxy-auth-windows-auth">
+    <title>Authentication mode</title>
+        <para>
+        <mediaobject>
+            <imageobject role="fo">
+                <imagedata fileref="&imagepath;proxy-windows-auth.&imageext;"
+                                   format="PNG"
+                                   contentwidth="14cm"/>
+            </imageobject>
+            <imageobject role="html">
+                <imagedata fileref="&imagepath;proxy-windows-auth.&imageext;" 
format="PNG" align="center"/>
+            </imageobject>
+            <textobject>
+                <phrase>Authentication mode section</phrase>
+            </textobject>
+        </mediaobject>
+        </para>
+        <formalpara>
+            <title><guilabel>Enable Windows integrated 
authentication</guilabel></title>
+            <para>
+                If enabled, the user will not be asked for a username and 
+                password. 
+                The credentials of the currently logged in user will 
+                automatically be used for authentication. 
+                This option is enabled by default.
+            </para>
+        </formalpara>
+        <para>
+            If integrated authentication is disabled, 
+            the user will be requested explicitly for a username and password.
+        </para>
+    </sect3>
+
+    <sect3 id="proxy-auth-windows-user">
+    <title>User based access restrictions</title>
+        <para>
+        <mediaobject>
+            <imageobject role="fo">
+                <imagedata fileref="&imagepath;proxy-windows-user.&imageext;"
+                                   format="PNG"
+                                   contentwidth="14cm"/>
+            </imageobject>
+            <imageobject role="html">
+                <imagedata fileref="&imagepath;proxy-windows-user.&imageext;" 
format="PNG" align="center"/>
+            </imageobject>
+            <textobject>
+                <phrase>User based access restrictions section</phrase>
+            </textobject>
+        </mediaobject>
+        </para>
+        <formalpara>
+            <title><guilabel>Enabled</guilabel></title>
+            <para>
+                Enables access control lists for authorized or unauthorized 
+                users.
+            </para>
+        </formalpara>
+        <formalpara>
+            <title><guilabel>Use positive access control / Authorized domain 
users</guilabel></title>
+            <para>
+                The users listed here will be allowed web access. 
+                For all other users, access will be denied.
+            </para>
+        </formalpara>
+        <formalpara>
+            <title><guilabel>Use negative access control / Unauthorized domain 
users</guilabel></title>
+            <para>
+                The listed users will be blocked from web access.
+                For all other users, access will be allowed.
+            </para>
+        </formalpara>
+        <note>
+            <para>
+                If Windows integrated authentication is enabled, 
+                the username must be entered with the domain name as 
+                a prefix for the username, separated by a backslash.
+            </para>
+        </note>        
+        <para>
+            Example for user based access control lists using integrated 
+            authentication:
+        </para>        
+            <screen><computeroutput>domain\administrator
+domain\bruno
+domain\jane
+domain\maria
+domain\paul
+domain\steve</computeroutput></screen>
+        <note>
+            <para>
+                When using integrated authentication, the user must be logged 
+                in to the domain, 
+                otherwise the name of the local workstation, instead of the 
+                domain name, will be added to the username.
+            </para>
+        </note>
+        <para>
+            Example for user based access control lists using explicit 
+            authentication:
+        </para>        
+            <screen><computeroutput>administrator
+bruno
+jane
+maria
+paul
+steve</computeroutput></screen>
+        <note>
+            <para>
+                Explicit authentication grants access to the user, 
+                even though the user is not logged in to the domain, 
+                as long as the username will be the same and the 
+                local workstation password and the domain password does match.
+            </para>
+        </note>
+    </sect3>
+    
     </sect2>
 
     <sect2 id="proxy-auth-radius">
     <title>RADIUS Authentication</title>
         <para>
-            This authentication method uses an existing RADIUS server for user 
-            authentication.
+            This authentication method is a preferred solution for small and 
+            medium network environments. 
+            Users will have to authenticate when accessing web sites. 
+            The credentials are verified against an external RADIUS server.
         </para>
         <para>
         <mediaobject>
@@ -97,8 +476,8 @@
         </mediaobject>
         </para>
         <para>
-            In addition to authentication you can define positive or 
-            negative user based access control lists.
+            In addition to authentication you can define positive (whitelist) 
or 
+            negative (blacklist) user based access control lists.
         </para>
 
     <sect3 id="proxy-auth-radius-global">

This was sent by the SourceForge.net collaborative development platform, the 
world's largest Open Source development site.


------------------------------------------------------------------------------
Learn Windows Azure Live!  Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for 
developers. It will provide a great way to learn Windows Azure and what it 
provides. You can attend the event by watching it streamed LIVE online.  
Learn more at http://p.sf.net/sfu/ms-windowsazure
_______________________________________________
Ipcop-svn mailing list
Ipcop-svn@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipcop-svn

Reply via email to