Cisco Cisco Web Security Appliance S670 User Guide

is closed. When the Web Proxy is deployed in transparent mode, and the “Apply same surrogate 
settings to explicit forward requests” option is not enabled, no authentication surrogates are used for 
explicit forward requests. 

To use the re-authentication feature with user defined end-user notification pages, the CGI script that 
parses the redirect URL must parse and use the Reauth_URL parameter. For more information, see 

When you enable re-authentication and clients use Microsoft Internet Explorer, you need to verify 
certain settings to ensure re-authentication works properly with Internet Explorer. Due to a known issue 
with Internet Explorer, re-authentication does not work properly under the following circumstances:

Internet Explorer is configured to use the Web Security appliance as a proxy.

The Web Security appliance uses NTLMSSP authentication.

The Web Security appliance uses cookies for authentication surrogates, but is not configured for 
credential encryption.

The Web Proxy is deployed in explicit forward mode, or it is deployed in transparent mode and the 
“Apply same surrogate settings to explicit forward requests” option is enabled in the applicable 
Identity group.

Problems occur when authentication is required to access the site, and may occur either when initially 
requesting the site or when re-authenticating to try to access the site.

To work around these problems, enable credential encryption on the Network > Authentication page.

When you enable re-authentication and configure client applications to use a PAC file, you may need to 
verify certain settings to ensure re-authentication works properly with the PAC file. 

Re-authentication does not work properly under the following circumstances:

Client browsers are configured to use a PAC file, and the PAC file is designed to bypass the Web 
Proxy for internal web servers. Instead of instructing the browser to explicitly send requests to the 
Web Proxy, it instructs the browser to directly send the request to the destination server.

The Web Security appliance uses IP addresses for authentication surrogates or no surrogates, and 
credential encryption is not enabled.

The Web Proxy is deployed in explicit forward mode, or it is deployed in transparent mode and the 
“Apply same surrogate settings to explicit forward requests” option is enabled for the applicable 
Identity group.

Problems occur because re-authentication requires clients to be redirected to the Web Proxy for 
authentication, but the PAC file bypasses all requests to internal web servers, including the Web Security 
appliance.

To work around these problems, edit the PAC file so that the function FindProxyForURL() returns 
“PROXY x.x.x.x:80” when the host IP address is x.x.x.x. The port number you specify in the return 
should the same port configured for other destinations.