Site Configuration

Every site can has a unique set of configuration properties available to configure and manage. Site Configuration is local to the only site that is selected.. When a user accesses the regular or secure site (http or https), the settings configured for the site will be applied.   Global settings are inherited across all sites. .

For instance, you may have multiple sites created in your TAC and would like to change the theme of each site, or perhaps you may need  to apply a specific access policy for a particular site.

To configure Site Configuration, click on the Site you wish to configure and click on Configure

Under Site Configuration, you can configure many features as follow:

Generic

Basic settings section has following fields are available:

Name: Site Name.

Unique ID: TAC generated Unique ID or Site ID for the site. Unique ID is important as it is a used  to create access policies.

Enabled: Checkbox to control to enable or disable the Site.

Advanced settings section has following fields are available.

External SSL termination: Checkbox to enable External SSL termination when TAC is behind SSL or proxy device. This option must be enabled when TAC is placed behind SSL or proxy device.

Client IP HTTP header name:  When TAC is behind another proxy or SSL device, sometime TAC needs to get actual client IP for reporting or audit purposes. in such cases enter the name of HTTP header to carry over through external SSL or proxy devices. Make sure the value of this header may not be spoofed by client.

Client PORT HTTP header name:  When TAC is behind another proxy or SSL device, sometime TAC needs to get actual client port for reporting or audit purposes. in such cases enter the name of HTTP header to carry over through external SSL or proxy devices. Make sure the value of this header may not be spoofed by client.

Redirect to HTTP: when this option enabled all requests are redirected to HTTP instead of HTTPS.

Security

Enable Device Access Control: Device Access Control is a feature in TAC that will provide access to the site using  only approved mobile  devices  by the administrator. When  you enable this option, the administrator has explicit control  over which  devices  should be allowed to access the site. This option requires further configuration and it is covered in “Users and  Device Management."

Access Policy: With access policies,  you can determine that the request coming towards the site is valid  or legitimate to provide access.  For example, if the user endpoint is not compliant with the access policy defined, the access will be denied. If the user endpoint has no anti-virus application installed and if it is a policy to access the site, then  access will be denied. TAC policy engine  provides strong inspection and security to your  internal resources by filtering suspicious user access.  Access policy can be configured using  wide  range  of policy objects under Access Policy menu. Access Policy is covered in “Access Policy.”

HTTP Headers: HTTP Headers section provide added security and allows to secure TAC Site from malicious attacks.  HTTP headers section contains following HTTP security settings: 

Content-Security-Policy Extra: Content Security Policy(CSP) is a response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS) and clickjacking Atacks. In the field enter required CSP policy.   

Content-Security-Policy Mode: Select the content-security-policy mode from the dropdown.

HTTP Strict Transport Security (HSTS) State: HTTP Strict Transport Security  (HSTS) is a web security policy mechanism which  helps  to protect websites against protocol downgrade attacks and  cookie hijacking. It allows  web servers to declare that web browsers (or other  complying user agents) should only interact with it using  secure  HTTPS connections and never  via the insecure HTTP protocol. You may enable  HSTS for site host name  or site host name  and application host name. 

HSTS max-age: Define  max-age value  in the box. The default value  is 16070400 (186 days).

Logon Lockout Policy: Under Logon Lockout Policy, you can define  numbers to restirct site access for failed attempts. For security reasons, suspicious users  may try to access the site using random passwords. After number of consecutive failed logon attempts, the user account will be locked  out for lapse of time period to protect the site access. Similarly, you can set logon lockout threshold for IP as an additional protection.

The administrator can set logon lockout policy per site or as a global option for TAC. By default, the global option will be applied unless you select “Override global settings and  use custom configuration for this site” checkbox.

Authentication

Authentication Servers: Authentication servers are required to authenticate users  on session start. Administrator can add  their Active Directory or Radius servers as authentication servers into the list. If you untick “Require users  to autheneticate on session  start,” users  will access the site directly without user credential prompt.

Additionally, Administrators can define policy based authentication by selecting the policy in the policy field. When a policy present the policy will be evaluated before presenting the authentication repository to the end user. depend on the policy outcome the repository may or may not listed to authenticate for end user. Further when there are multiple authentication repository present in the list administrator can mark any of the repository optional or required. if marked as optional, those optional repositories will be listed to choose in the portal in credential page and user can select any of one fro the list to authenticate their credentials.

If you have multiple authentication servers available in the network, you may configure users to select which  server  to authenticate, or automatically authenticate to each available servers.

Password  Change: Authenticated users  can change their own password through the TAC site. TAC Site snotifies the user about password expiration notifcation for the configured days if you select the “Show  expiring password notfication in” option.

Additionally, the administrator can customize password change HTML message to reflect their organization’s password policy.

Session

Inactive  session  timeout (Seconds):  Administrators can configure inactive session  timeout value in seconds where, after configured time of inactivity in the session  has elapsed, the session  will be closed and  users  will be signed out from the site.

Unauthenticated session  timeout (seconds) – This is a session  without user logged in. E.g: before user enter  credentials. After configured time of inactivity, the session  will be timed out and users  may need  to refresh the page  to enter  credentials.

End session after (automatic log-off) (minutes): Set session log-off minutes. after elapsing the set time the session will automatically logged off.

Session close notification for automatic log-off(seconds): set seconds to notify about session log-off before the end session after time reach.

SameSite mode for session HTTP cookie: SameSite prevents the browser from sending the cookie along with cross-site requests. The main goal is mitigating the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks. Possible values for the flag are Lax or Strict. By default this option is disabled in TAC

Enable session sharing across sites that have session sharing enabled and use this shared key: Enable and enter shared key to enable session sharing across sites that have session sharing enabled.

Enable cross domain session sharing: when there are different top level domain to switch during a session, enable this feature. usually a cookie is shared between same top level domain and with this option administrator can enable session sharing between multiple top level domains.

Session sharing should ignore protocol (HTTP/HTTPS) type: Select this option to ignore http/https protocol type when session sharing is enabled. 

Disable  background session  refresh on portal page: Extends session  time when portal page is opened in browser, which  prevents session  from timeout. When  user uses applications, session extends its timeout.

Disable  TAC Session: This option should be used  in special sites that are used  to publish applications or services  that are available to non-web browsers that cannot processes TAC pages.  That is, some applications that call web services  to get some results, etc. This option enables “pass-through” mode in TAC. When a request arrives and TAC sends it to backend server without any authentication, however, the policy may still be applied. Usually Portal application in such sites are removed and only one app  is present and it is set as initial application of site.

API

TAC API setting is used for advanced configuration with 3rd party integrations.

HTTP Control

TAC HTTP Control settings is used to translate URLs from TAC URL translation engine. if there is any incoming URL that needs to be Redirect or Re-route depend on the URL/server structure, it can be added here.

Look and Feel

TAC provides great customization option to make  visuals more comfortable to the end user. Select the theme you wish to see in end user portal and Click OK.