Cisco Cisco Web Security Appliance S690 User Guide

The Web Proxy communicates with clients and authentication servers differently depending on the type 
of Web Proxy deployment and the authentication protocol.

 lists the possible methods of authentication for the various authentication protocols and 

deployment type. 

The following subsections describe these methods of authentication in more detail.

When a client explicitly sends a web page request to a Web Security appliance deployed in explicit 
forward mode, the Web Proxy can reply to the client with a 407 HTTP response “Proxy Authentication 
Required.” This status informs the client that it must supply valid authentication credentials to access 
web resources.

The authentication process comprises these steps:

Client sends a request to the Web Proxy to connect to a web page.

Web Proxy responds with a 407 HTTP response “Proxy Authentication Required.”

User enters credentials, and client application resends the original request with the credentials 
encoded in Base64 (not encrypted) in a “Proxy-Authorization” HTTP header.

Web Proxy verifies the credentials and returns the requested web page.

 lists advantages and disadvantages of using explicit forward Basic authentication. 

The 407 HTTP response “Proxy Authentication Required” is allowed from proxy servers only. However, 
when the Web Proxy is deployed in transparent mode, its existence is hidden from client applications on 
the network. Therefore, the Web Proxy cannot return a 407 response. 

Explicit forward

Basic

LDAP or NTLM Basic

Transparent

Basic

LDAP or NTLM Basic

Explicit forward

NTLM

NTLMSSP

Transparent

NTLM

NTLMSSP

RFC-based

Supported by all browsers and most other 
applications

Minimal overhead

Works for HTTPS (CONNECT) requests

Password sent as clear text (Base64) for 
every request

No single sign-on