Cisco Cisco Web Security Appliance S170 Guía Del Usuario
21-26
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 21 Authentication
Sending Authentication Credentials Securely
Then, using the secure HTTPS connection, the clients send the authentication credentials. The appliance
uses its own certificate and private key to create an HTTPS connection with the client by default. Most
browsers will warn users that the certificate is not valid. To prevent users from seeing the invalid
certificate message, you can upload a certificate and key pair your organization uses. When you upload
a certificate and key, the private key must be unencrypted. For information about uploading a certificate
and key, see
uses its own certificate and private key to create an HTTPS connection with the client by default. Most
browsers will warn users that the certificate is not valid. To prevent users from seeing the invalid
certificate message, you can upload a certificate and key pair your organization uses. When you upload
a certificate and key, the private key must be unencrypted. For information about uploading a certificate
and key, see
To configure the appliance to use credential encryption, enable the Credential Encryption setting in the
global authentication settings. For more information, see
global authentication settings. For more information, see
. You can also use the
advancedproxyconfig > authentication
CLI command. For more
information, see
.
Uploading Certificates and Keys to Use with Credential Encryption and SaaS
Access Control
Access Control
When credential encryption is enabled or when using SaaS Access Control, the appliance uses a digital
certificate to securely establish a connection with the client application. By default, the Web Security
appliance uses the “Cisco IronPort Web Security Appliance Demo Certificate” that comes installed.
However, client applications are not programmed to recognize this certificate, so you can upload a digital
certificate to the appliance that your applications recognize automatically.
certificate to securely establish a connection with the client application. By default, the Web Security
appliance uses the “Cisco IronPort Web Security Appliance Demo Certificate” that comes installed.
However, client applications are not programmed to recognize this certificate, so you can upload a digital
certificate to the appliance that your applications recognize automatically.
Use the Advanced section on the Network > Authentication page to upload the certificate and key.
Note
When AsyncOS for Web runs on a FIPS-compliant Web Security appliance, you must use the FIPS
management console to generate or upload the root certificate and key pair. When you generate or upload
certificates and keys using the FIPS management console, the keys are protected by the HSM card. For
more information on using the FIPS management console, see
management console to generate or upload the root certificate and key pair. When you generate or upload
certificates and keys using the FIPS management console, the keys are protected by the HSM card. For
more information on using the FIPS management console, see
For more information on obtaining a certificate and private key pair to upload, see
.
Note
Any certificate and key you upload on the Network > Authentication page is only used for establishing
secure connections with clients for credential encryption and authenticating SaaS users using SaaS
Access Control. The certificate and key are not used for establishing secure HTTPS sessions when
connecting to the Web Security appliance web interface. For more information on uploading a certificate
and key pair for HTTPS connections to the web interface, see
secure connections with clients for credential encryption and authenticating SaaS users using SaaS
Access Control. The certificate and key are not used for establishing secure HTTPS sessions when
connecting to the Web Security appliance web interface. For more information on uploading a certificate
and key pair for HTTPS connections to the web interface, see
For more information on SaaS Access Control, see
.
Accessing HTTPS and FTP Sites with Credential Encryption Enabled
Credential encryption works because the Web Proxy redirects clients to the Web Proxy itself for
authentication using an HTTPS connection. After successful authentication, the Web Proxy redirects
clients back to the original website. In order to continue to identify the user, the Web Proxy must use a
surrogate (either the IP address or a cookie).
authentication using an HTTPS connection. After successful authentication, the Web Proxy redirects
clients back to the original website. In order to continue to identify the user, the Web Proxy must use a
surrogate (either the IP address or a cookie).