Athena SWG (Secure Web Gateway)

Athena SWG (formerly Internet Access Gateway) ensures visibility and control across the network, detecting risks like unauthorized access, non-compliant activities, and data leaks to manage endpoints.

13.0.120

{{item.code}}

User Manual

IAG Installation

IAG Console

Web Login

Configuration

Functions

Value-Added Services

Sangfor Business Intelligence

Internet Access Analytics

Bandwidth Analytics

Electricity Waste Analytics

Real-Time Status

Real-Time Status

Proxy

Access Management

Working Principle

802.1X Authentication

Authentication

Endpoint Check

Ingress Client Settings

Online Activities

Access Control

Advanced

Bandwidth Management

Quota Control

Link Load Balancing

Activity Audit

Internet Access Audit

Ingress Client Audit

Endpoint Management

Endpoint Connection Control

Security Capabilities Configuration

Connect IAG to Endpoint Secure

Endpoint Connection Control Case Study

Internet Security

System

Object

Network

Sangfor VPN

Firewall

General

Diagnostics

Use Cases

SSO Configuration

SSO Configuration for the AD Domain

Proxy SSO Configuration

SMS Authentication

Send SMS Through an SMS Modem

Endpoint Device Management Configuration

Comprehensive Configuration

SNMP Trap Configuration

Basic Configuration

Enable Email Alert

Testing Procedure

Test with the MIB Browser Tool

Testing Results

International Bandwidth Configuration

Athena SWG (Secure Web Gateway)

User Manual

Use Cases

Other Configuration Examples

{{sendMatomoQuery("Athena SWG (Secure Web Gateway)","Other Configuration Examples")}}

Other Configuration Examples

{{ $t('productDocDetail.updateTime') }}: 2025-12-29

Configuration Example 1: Configuring user-defined attributes. When the existing attributes are not enough, you can add user-defined attributes for users and use the attributes to set Internet access policies and traffic control policies for the users with the same attributes.

Within the intranet segment 192.168.1.0/255.255.255.0, users are authenticated using passwords. User-defined attributes are set to distinguish male users from female users. The Internet access policy is configured to disallow them from accessing shopping and entertainment websites for female users. The Internet access policy is configured for male users to disallow them from using gaming applications. Step 1 The customer wants to authenticate all the PCs in the 192.168.1.0/255.255.255.0 segment using passwords. Therefore, set the authentication mode for the PCs first.

Step 1.Choose Access Mgt > Authentication > Web Authentication > Authentication Policy [LCH359]and set an authentication policy. [A360]Set the objects to 192.168.1.0/24.

Set Authentication Method to Password based and Authentication Server to Local User database.

Step 2.Choose Advanced > Custom Attributes and set user-defined attributes.

Attribute name: Gender

Attribute value: a sequence including two values Male and Female

Step 3.Navigate to Access Mgt > User Management > Local User and add a local user group and local users.

Step 4.You can select an attribute value when adding a user.

Step 5.For female users, configure the Internet access policy to disallow them from accessing shopping and entertainment websites.

Apply this policy to the users whose attribute values are Female.

Step 6.For male users, configure the Internet access policy to disallow them from using gaming applications.

Apply this policy to the users whose attribute values are Male.

Configuration Example 2: The intranet users are authenticated using passwords. The customer has a hosted web server on the Internet at http://www.Sangfor.com.cn. The users must be allowed to access the server before being authenticated.

The configuration procedure is as follows:

Step 1.Set a URL group for the URL to be accessed.

Navigate to System > Objects > URL Database and click Add to add a URL category.

Step 2.Set an Internet access policy to allow accessing the URL.

Choose Access Mgt > Authentication > Web Authentication > Authentication Policy and click Add to add an Internet access policy. Associate the policy with the Temporary Group.

Step 3.Set the authentication policy. Navigate to Access Mgt > Authentication > Web Authentication > Authentication Policy and click Add to set the authentication policy according to the IP or MAC addresses of the users to be authenticated using passwords.

In the Authentication Method, select Password based.

Choose Action > Advanced, select Before authentication, added to group, and select the Temporary Group.

Step 4.When a user accesses the Internet and opens a webpage, the authentication page of the IAG is displayed. However, when the user accesses www.Sangfor.com.cn, no authentication page is displayed.

Configuration Example 3: A customer has an AD domain server on its intranet, and intranet users must be authenticated using AD domain SSO. If SSO for a user fails, a notification page must be displayed when the user accesses a webpage. The user can download a manual SSO tool from the page and run the tool to implement SSO.

Step 1.Navigate to Access Mgt > Authentication > Web Authentication > Auth Server and set the AD domain authentication server.

Step 2.Set the authentication policy. Navigate to Access Mgt > Authentication > Web Authentication > Authentication Policy and click Add to set the authentication policy according to the IP or MAC addresses of the users who require SSO.

Set Authentication Method to SSO. Select Predefined webpage for users who fail to be authenticated during SSO.

The page enables users to download the manual SSO tool.

Enable SSO, select the SSO mode, and set the shared key. Navigate to Access Mgt > Authentication > Web Authentication > Single Sign On > MS AD Domain, and Select Enable Domain SSO.

Select Obtain login profile by executing logon script through domain, which indicates the SSO is implemented by delivering the login script. Enter the shared key in Shared Key. See the following figure.

The shared key encrypts the communication between the IAG and the AD domain server and must be specified exactly the same in the login script. Click Download Domain SSO Program to download the login and logout scripts.

Step 3.Configure the login script on the AD domain server.

Step 4.After a user logs in through SSO, the user can access the Internet.

Download and run the tool.

SSO is implemented successfully for the user.

Configuration Example 4: A customer has an ISA server, and intranet users access the Internet through the ISA server, which functions as a proxy. The IAG is deployed between the ISA server and a switch to implement control and audit. Intranet users must be able to access the Internet without being authenticated. On the IAG, IP addresses are used as usernames.

Step 1.Deploy the IAG in bridge mode. Connect the IAG to the switch using an intranet port and the ISA server using the Internet port.

In Authentication Method, select Open Auth and set Take IP address as username.

Step 3.Because the IAG connects to the switch using the intranet port and to the ISA server using the Internet port, data from the Internet is transferred through the intranet port of the IAG, and data from the intranet is transferred to the ISA server through the Internet port. Therefore, to prevent Internet IP addresses from being added to the online user list of the IAG, Internet data must be excluded as follows:

Choose Access Mgt > Authentication > Advanced > Authentication Options and select Open auth for data flow from WAN to LAN interface.[A361]

Step 4.Configure the proxy settings of PCs to exclude the IAG IP address.

{{ $t('index.defaultHeader.logo') }}

Athena SWG (Secure Web Gateway)

Other Configuration Examples