Cisco Cisco Web Security Appliance S360 User Guide

The following subsections describe these methods of authentication in more detail.

When a client explicitly sends a web page request to a Web Security appliance deployed in explicit 
forward mode, the Web Proxy can reply to the client with a 407 HTTP response “Proxy Authentication 
Required.” This status informs the client that it must supply valid authentication credentials to access 
web resources.

The authentication process comprises these steps:

Client sends a request to the Web Proxy to connect to a web page.

Web Proxy responds with a 407 HTTP response “Proxy Authentication Required.”

User enters credentials, and client application resends the original request with the credentials 
encoded in Base64 (not encrypted) in a “Proxy-Authorization” HTTP header.

Web Proxy verifies the credentials and returns the requested web page.

 lists advantages and disadvantages of using explicit forward Basic authentication. 

The 407 HTTP response “Proxy Authentication Required” is allowed from proxy servers only. However, 
when the Web Proxy is deployed in transparent mode, its existence is hidden from client applications on 
the network. Therefore, the Web Proxy cannot return a 407 response. 

To address this problem, the authentication process comprises these steps:

Client sends a request to a web page and the Web Proxy transparently intercepts it.

Web Proxy uses a 307 HTTP response to redirect the client to the Web Proxy which masquerades as 
a local web server.

This transaction is recorded in the access logs with “TCP_DENIED/307”. 

Client sends a request to the redirected URL.

Explicit forward

NTLM

NTLMSSP

Transparent

NTLM

NTLMSSP

RFC-based

Supported by all browsers and most other 
applications

Minimal overhead

Works for HTTPS (CONNECT) requests

Password sent as clear text (Base64) for 
every request

No single sign-on