Cisco Cisco Web Security Appliance S380 User Guide
20-41
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
Chapter 20 Authentication
Allowing Users to Re-Authenticate
•
The Web Security appliance uses NTLMSSP authentication.
•
The Web Security appliance uses cookies for authentication surrogates, but is
not configured for credential encryption.
not configured for credential encryption.
•
The Web Proxy is deployed in explicit forward mode, or it is deployed in
transparent mode and the “Apply same surrogate settings to explicit forward
requests” option is enabled in the applicable Identity group.
transparent mode and the “Apply same surrogate settings to explicit forward
requests” option is enabled in the applicable Identity group.
Problems occur when authentication is required to access the site, and may occur
either when initially requesting the site or when re-authenticating to try to access
the site.
either when initially requesting the site or when re-authenticating to try to access
the site.
To work around these problems, enable credential encryption on the Network >
Authentication page.
Authentication page.
Using Re-Authentication with PAC Files
When you enable re-authentication and configure client applications to use a PAC
file, you may need to verify certain settings to ensure re-authentication works
properly with the PAC file.
file, you may need to verify certain settings to ensure re-authentication works
properly with the PAC file.
Re-authentication does not work properly under the following circumstances:
•
Client browsers are configured to use a PAC file, and the PAC file is designed
to bypass the Web Proxy for internal web servers. Instead of instructing the
browser to explicitly send requests to the Web Proxy, it instructs the browser
to directly send the request to the destination server.
to bypass the Web Proxy for internal web servers. Instead of instructing the
browser to explicitly send requests to the Web Proxy, it instructs the browser
to directly send the request to the destination server.
•
The Web Security appliance uses IP addresses for authentication surrogates
or no surrogates, and credential encryption is not enabled.
or no surrogates, and credential encryption is not enabled.
•
The Web Proxy is deployed in explicit forward mode, or it is deployed in
transparent mode and the “Apply same surrogate settings to explicit forward
requests” option is enabled for the applicable Identity group.
transparent mode and the “Apply same surrogate settings to explicit forward
requests” option is enabled for the applicable Identity group.
Problems occur because re-authentication requires clients to be redirected to the
Web Proxy for authentication, but the PAC file bypasses all requests to internal
web servers, including the Web Security appliance.
Web Proxy for authentication, but the PAC file bypasses all requests to internal
web servers, including the Web Security appliance.
To work around these problems, edit the PAC file so that the function
FindProxyForURL() returns “PROXY x.x.x.x:80” when the host IP address is
x.x.x.x. The port number you specify in the return should the same port
configured for other destinations.
FindProxyForURL() returns “PROXY x.x.x.x:80” when the host IP address is
x.x.x.x. The port number you specify in the return should the same port
configured for other destinations.