Every site can has a unique set of configuration properties available to configure and manage. Site Configuration is local to the only site that is selected.. When a user accesses the regular or secure site (http or https), the settings configured for the site will be applied. Global settings are inherited across all sites. .
For instance, you may have multiple sites created in your TAC and would like to change the theme of each site, or perhaps you may need to apply a specific access policy for a particular site.
To configure Site Configuration, click on the Site you wish to configure and click on Configure
Under Site Configuration, you can configure many features as follow:
Basic settings section has following fields are available:
Name: Site Name.
Unique ID: TAC generated Unique ID or Site ID for the site. Unique ID is important as it is a used to create access policies.
Enabled: Checkbox to control to enable or disable the Site.
Advanced settings section has following fields are available.
External SSL termination: Checkbox to enable External SSL termination when TAC is behind SSL or proxy device. This option must be enabled when TAC is placed behind SSL or proxy device.
Client IP HTTP header name: When TAC is behind another proxy or SSL device, sometime TAC needs to get actual client IP for reporting or audit purposes. in such cases enter the name of HTTP header to carry over through external SSL or proxy devices. Make sure the value of this header may not be spoofed by client.
Client PORT HTTP header name: When TAC is behind another proxy or SSL device, sometime TAC needs to get actual client port for reporting or audit purposes. in such cases enter the name of HTTP header to carry over through external SSL or proxy devices. Make sure the value of this header may not be spoofed by client.
Redirect to HTTP: when this option enabled all requests are redirected to HTTP instead of HTTPS.
Enable Device Access Control: Device Access Control is a feature in TAC that will provide access to the site using only approved mobile devices by the administrator. When you enable this option, the administrator has explicit control over which devices should be allowed to access the site. This option requires further configuration and it is covered in “Users and Device Management."
Access Policy: With access policies, you can determine that the request coming towards the site is valid or legitimate to provide access. For example, if the user endpoint is not compliant with the access policy defined, the access will be denied. If the user endpoint has no anti-virus application installed and if it is a policy to access the site, then access will be denied. TAC policy engine provides strong inspection and security to your internal resources by filtering suspicious user access. Access policy can be configured using wide range of policy objects under Access Policy menu. Access Policy is covered in “Access Policy.”
HTTP Headers: HTTP Headers section provide added security and allows to secure TAC Site from malicious attacks. HTTP headers section contains following HTTP security settings:
Content-Security-Policy Extra: Content Security Policy(CSP) is a response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS) and clickjacking Atacks. In the field enter required CSP policy.
Content-Security-Policy Mode: Select the content-security-policy mode from the dropdown.
HTTP Strict Transport Security (HSTS) State: HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections and never via the insecure HTTP protocol. You may enable HSTS for site host name or site host name and application host name.
HSTS max-age: Define max-age value in the box. The default value is 16070400 (186 days).
Logon Lockout Policy: Under Logon Lockout Policy, you can define numbers to restirct site access for failed attempts. For security reasons, suspicious users may try to access the site using random passwords. After number of consecutive failed logon attempts, the user account will be locked out for lapse of time period to protect the site access. Similarly, you can set logon lockout threshold for IP as an additional protection.
The administrator can set logon lockout policy per site or as a global option for TAC. By default, the global option will be applied unless you select “Override global settings and use custom configuration for this site” checkbox.
Authentication Servers: Authentication servers are required to authenticate users on session start. Administrator can add their Active Directory or Radius servers as authentication servers into the list. If you untick “Require users to autheneticate on session start,” users will access the site directly without user credential prompt.
Additionally, Administrators can define policy based authentication by selecting the policy in the policy field. When a policy present the policy will be evaluated before presenting the authentication repository to the end user. depend on the policy outcome the repository may or may not listed to authenticate for end user. Further when there are multiple authentication repository present in the list administrator can mark any of the repository optional or required. if marked as optional, those optional repositories will be listed to choose in the portal in credential page and user can select any of one fro the list to authenticate their credentials.
If you have multiple authentication servers available in the network, you may configure users to select which server to authenticate, or automatically authenticate to each available servers.
Password Change: Authenticated users can change their own password through the TAC site. TAC Site snotifies the user about password expiration notifcation for the configured days if you select the “Show expiring password notfication in” option.
Additionally, the administrator can customize password change HTML message to reflect their organization’s password policy.
Inactive session timeout (Seconds): Administrators can configure inactive session timeout value in seconds where, after configured time of inactivity in the session has elapsed, the session will be closed and users will be signed out from the site.
Unauthenticated session timeout (seconds) – This is a session without user logged in. E.g: before user enter credentials. After configured time of inactivity, the session will be timed out and users may need to refresh the page to enter credentials.
End session after (automatic log-off) (minutes): Set session log-off minutes. after elapsing the set time the session will automatically logged off.
Session close notification for automatic log-off(seconds): set seconds to notify about session log-off before the end session after time reach.
SameSite mode for session HTTP cookie: SameSite prevents the browser from sending the cookie along with cross-site requests. The main goal is mitigating the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks. Possible values for the flag are Lax or Strict. By default this option is disabled in TAC
Enable session sharing across sites that have session sharing enabled and use this shared key: Enable and enter shared key to enable session sharing across sites that have session sharing enabled.
Enable cross domain session sharing: when there are different top level domain to switch during a session, enable this feature. usually a cookie is shared between same top level domain and with this option administrator can enable session sharing between multiple top level domains.
Session sharing should ignore protocol (HTTP/HTTPS) type: Select this option to ignore http/https protocol type when session sharing is enabled.
Disable background session refresh on portal page: Extends session time when portal page is opened in browser, which prevents session from timeout. When user uses applications, session extends its timeout.
Disable TAC Session: This option should be used in special sites that are used to publish applications or services that are available to non-web browsers that cannot processes TAC pages. That is, some applications that call web services to get some results, etc. This option enables “pass-through” mode in TAC. When a request arrives and TAC sends it to backend server without any authentication, however, the policy may still be applied. Usually Portal application in such sites are removed and only one app is present and it is set as initial application of site.
TAC API setting is used for advanced configuration with 3rd party integrations.
TAC HTTP Control settings is used to translate URLs from TAC URL translation engine. if there is any incoming URL that needs to be Redirect or Re-route depend on the URL/server structure, it can be added here.
Look and Feel
TAC provides great customization option to make visuals more comfortable to the end user. Select the theme you wish to see in end user portal and Click OK.