Check Devices for Domain Membership and Redirect if Non-Domain Joined
Purpose
Often, it is desirable to restrict access to a SecureAuth Integrated Windows Authentication (IWA) realm to only domain joined devices. The following method utilizes Reverse DNS lookups to check a host for domain membership and allow access if they are domain joined. If the host is not domain joined, it will be redirected to a different SecureAuth realm with a non-Desktop SSO workflow to allow the user to enter their domain credentials.
Requirements
A functioning Reverse DNS infrastructure that the SecureAuth appliance can check domain membership against.
Instructions
Check Devices for Domain Membership
Based on IIS, SecureAuth can utilize a number of the built in functions of the server to analyze traffic and allow or deny access based on certain criteria. To check devices for domain membership:
Go to your desired SecureAuth IWA realm and select IP Address and Domain Restrictions.
On the right side under Actions, select Edit Feature Settings and in the window that appears select Deny in the dropdown for "Access for unspecified clients" and check the box for "Enable domain name restrictions".
You will be prompted that restricting access by domain name requires a DNS lookup on each connection and it may adversely affect server performance. Select Yes to continue.
On the right side under Actions, select Add Allow Entry and in the window that appears select the radio button for "Domain Name" and enter your domain name in the text box (ie. *.secureauthdemo.com).
The new allowed rule should be displayed as follows:
If you do not use a wild card in front of your domain name, you may have issues with the Reverse DNS lookup.
Redirect the User if the Device is Not Domain Joined
SecureAuth can use a custom error page to redirect users that do not come from a domain joined device. To do so:
Go to your desired SecureAuth IWA realm and select "Error Pages".
On the right side under Actions, select "Add...".
In the "Add Custom Error Rule" window that appears, enter "403.6" for Status Code and select the radio button for "Execute a URL on this site" with a URL pointing to your alternate SecureAuth realm (ie. "/secureauth28").
Click "OK".
The new allowed rule should be displayed as follows:
Tips & Warnings
Performing Reverse DNS lookups to allow/deny access to a SecureAuth realm may adversely affect performance. Please test within your environment to check if the delay is acceptable (oftentimes it is not noticeable).
You may need to perform an IISRESET for settings to take effect.