Cisco Cisco Web Security Appliance S680 Release Notes
7
Release Notes for Cisco IronPort AsyncOS 7.5.7 for Web
7.5.7
Known Issues
33285
Web Security appliance does not support Group Authorization against predefined
Active Directory groups for LDAP authentication realms. When the Web Security
appliance has a web access policy group using LDAP authentication and policy
membership is defined by authentication groups using a predefined Active Directory
group, such as “Domain Users” or “Cert Publishers,” then no transactions match this
policy group. Transactions from users in the predefined Active Directory group
typically match the Global Policy Group instead.
Active Directory groups for LDAP authentication realms. When the Web Security
appliance has a web access policy group using LDAP authentication and policy
membership is defined by authentication groups using a predefined Active Directory
group, such as “Domain Users” or “Cert Publishers,” then no transactions match this
policy group. Transactions from users in the predefined Active Directory group
typically match the Global Policy Group instead.
Workaround: Specify a user defined Active Directory group.
34405
LDAP group authentication does not work with posixGroups. When you configure an
LDAP authentication realm and enter a custom group filter query as
objectclass=posixGroup, the appliance does not query memberUid objects correctly.
LDAP authentication realm and enter a custom group filter query as
objectclass=posixGroup, the appliance does not query memberUid objects correctly.
34496
NTLM authentication does not work in some cases when the Web Security appliance
is connected to a WCCP v2 capable device. When a user makes a request with a highly
locked down version of Internet Explorer that does not do transparent NTLM
authentication correctly and the appliance is connected to a WCCP v2 capable device,
the browser defaults to Basic authentication. This results in users getting prompted for
their authentication credentials when they should not get prompted.
is connected to a WCCP v2 capable device. When a user makes a request with a highly
locked down version of Internet Explorer that does not do transparent NTLM
authentication correctly and the appliance is connected to a WCCP v2 capable device,
the browser defaults to Basic authentication. This results in users getting prompted for
their authentication credentials when they should not get prompted.
Workaround: In Internet Explorer, add the Web Security appliance redirect hostname
to the list of trusted sites in the Local Intranet zone (Tools > Internet Options >
Security tab).
to the list of trusted sites in the Local Intranet zone (Tools > Internet Options >
Security tab).
35652
When clients run Java version 1.5 and the Web Security appliance uses NTLM
authentication, some Java applets fail to load.
authentication, some Java applets fail to load.
Workaround: Upgrade Java to version 1.6_03 on the client machines.
36229
The Web Security appliance does not create a computer account in the specified
location on the Active Directory server under the following conditions:
location on the Active Directory server under the following conditions:
1.
You define the location for the computer account in the NTLM authentication
realm and join the domain. The appliance successfully creates the computer
account in the Active Directory server.
realm and join the domain. The appliance successfully creates the computer
account in the Active Directory server.
2.
You change the location for the computer account in the NTLM authentication
realm and then try to join the domain again. The appliance does not create the
computer account even though it displays a message informing you that it
successfully created the computer account. The computer account still exists in
the old location.
realm and then try to join the domain again. The appliance does not create the
computer account even though it displays a message informing you that it
successfully created the computer account. The computer account still exists in
the old location.
37455
LDAP authentication fails when all of the following conditions are true:
•
The LDAP authentication realm uses an Active Directory server.
•
The Active Directory server uses an LDAP referral to another authentication
server.
server.
•
The referred authentication server is unavailable to the Web Security appliance.
Workaround: Either specify the Global Catalog server (default port is 3268) in the
Active Directory forest when you configure the LDAP authentication realm in the
appliance, or use the
Active Directory forest when you configure the LDAP authentication realm in the
appliance, or use the
advancedproxyconfig > authentication
CLI command to
disable LDAP referrals. LDAP referrals are disabled by default.
Table 2
Known Issues for AsyncOS 7.5.7 for Web (continued)
Defect ID
Description