Cisco Cisco Web Security Appliance S690 User Guide
5-35
AsyncOS 9.1 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Credentials
•
Persistent cookie. The privileged user identity is used until the surrogate times out.
•
IP address. The privileged user identity is used until the surrogate times out.
•
No surrogate. By default, the Web Proxy requests authentication for every new connection, but
when re-authentication is enabled, the Web Proxy requests authentication for every new request, so
there is an increased load on the authentication server when using NTLMSSP. The increase in
authentication activity may not be apparent to a user, however, because most browsers will cache
the privileged user credentials and authenticate without prompting until the browser is closed. Also,
when the Web Proxy is deployed in transparent mode, and the “Apply same surrogate settings to
explicit forward requests” option is not enabled, no authentication surrogates are used for explicit
forward requests and increased load will occur with re-authentication.
when re-authentication is enabled, the Web Proxy requests authentication for every new request, so
there is an increased load on the authentication server when using NTLMSSP. The increase in
authentication activity may not be apparent to a user, however, because most browsers will cache
the privileged user credentials and authenticate without prompting until the browser is closed. Also,
when the Web Proxy is deployed in transparent mode, and the “Apply same surrogate settings to
explicit forward requests” option is not enabled, no authentication surrogates are used for explicit
forward requests and increased load will occur with re-authentication.
Note
If the Web Security appliance uses cookies for authentication surrogates, Cisco recommends enabling
credential encryption.
credential encryption.
Credentials
Authentication credentials are obtained from users by either prompting them to enter their credentials
through their browsers, or another client application, or by obtaining the credentials transparently from
another source.
through their browsers, or another client application, or by obtaining the credentials transparently from
another source.
•
•
•
•
Tracking Credentials for Reuse During a Session
Using authentication surrogates, after a user authenticates once during a session, you can track
credentials for reuse throughout that session rather than having the user authenticate for each new
request. Authentication surrogates may be based on the IP address of the user’s workstation or on a
cookie that is assigned to the session.
credentials for reuse throughout that session rather than having the user authenticate for each new
request. Authentication surrogates may be based on the IP address of the user’s workstation or on a
cookie that is assigned to the session.
For Internet Explorer, be sure the Redirect Hostname is the short host name (containing no dots) or the
NetBIOS name rather than a fully qualified domain. Alternatively, you can add the appliance host name
to Internet Explorer’s Local intranet zone (Tools > Internet options > Security tab); however, this will be
required on every client. For more information about this, see
NetBIOS name rather than a fully qualified domain. Alternatively, you can add the appliance host name
to Internet Explorer’s Local intranet zone (Tools > Internet options > Security tab); however, this will be
required on every client. For more information about this, see
With Firefox and other non-Microsoft browsers, the parameters network.negotiate-auth.delegation-uris,
network.negotiate-auth.trusted-uris and network.automatic-ntlm-auth.trusted-uris must be set to the
transparent-mode Redirect Hostname. You also can refer to
network.negotiate-auth.trusted-uris and network.automatic-ntlm-auth.trusted-uris must be set to the
transparent-mode Redirect Hostname. You also can refer to
. This
provides general information about changing Firefox parameters.
For information about the Redirect Hostname, see
, or the CLI
command