The Gateway Enforcer appliance authenticates remote clients before it allows access to the network. Client authentication in the Gateway Enforcer performs the following functions:
Determines whether to authenticate the client or allow it without authentication
You can specify individual clients or ranges of IP addresses to trust or to authenticate on the Auth Range tab.
Carries out the authentication session
You configure the settings for the authentication session on the Authentication tab.
Each Gateway Enforcer maintains the following lists of trusted IP addresses that are allowed to connect to the network through the Gateway Enforcer:
A static list
The trusted external IP addresses that are configured for the Enforcer on the Auth Range tab.
A dynamic list
The additional trusted IP addresses that are added and dropped as clients are authenticated, allowed to connect to the network, and finally disconnected.
When traffic arrives from a new client, the Gateway Enforcer appliance determines whether this client is included in the list of trusted client IP addresses. If the client has a trusted IP address, it is allowed on the network with no further authentication.
If the client lacks a trusted IP address, the Gateway Enforcer appliance checks if the trusted IP address is within the client IP address range for the clients that should be authenticated. If the client's IP address is within the client IP address range, the Gateway Enforcer appliance begins an authentication session.
During the authentication session, the client sends its unique ID number, the results of the Host Integrity check, and its policy serial number. The policy serial number identifies if the client security policies are up to date.
The Gateway Enforcer appliance checks the results. It can optionally check the policy serial number. If the results are valid, the Gateway Enforcer appliance gives the client an authenticated status and allows network access to the client. If the results are not valid, the Gateway Enforcer appliance blocks the client from connecting to the network.
When a client is authenticated, that client's IP address is added to the dynamic list with a timer. The default timer interval is 30 seconds. After the timer interval has elapsed, the Gateway Enforcer appliance begins a new authentication session with the client. If the client does not respond or fails authentication, the client's IP address is deleted from the list. The IP address is also blocked for a specified interval. The default setting is 30 seconds. When another client tries to log on by using that same IP address, the client has to be reauthenticated.