Cisco Cisco Web Security Appliance S170 Guía Del Usuario
21-29
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 21 Authentication
Tracking Authenticated Users
To work around these problems, edit the PAC file so that the function FindProxyForURL() returns
“PROXY x.x.x.x:80” when the host IP address is x.x.x.x. The port number you specify in the return
should the same port configured for other destinations.
“PROXY x.x.x.x:80” when the host IP address is x.x.x.x. The port number you specify in the return
should the same port configured for other destinations.
Note
If the Web Security appliance uses cookies for authentication surrogates, Cisco recommends enabling
credential encryption. For more information, see
credential encryption. For more information, see
Tracking Authenticated Users
describes which authentication surrogates are supported with other configurations and
different types of requests (explicitly forwarded and transparently redirected).
* Works after the client makes a request to an HTTP site and is authenticated, or when the client makes
a request to an HTTPS site and the HTTPS Proxy is configured to decrypt the first HTTPS request for
authentication purposes. When the HTTPS Proxy is configured to deny the first HTTPS request, all
requests to HTTPS sites before authentication happens for a previous request are dropped.
a request to an HTTPS site and the HTTPS Proxy is configured to decrypt the first HTTPS request for
authentication purposes. When the HTTPS Proxy is configured to deny the first HTTPS request, all
requests to HTTPS sites before authentication happens for a previous request are dropped.
** When cookie-based authentication is used, the Web Proxy cannot authenticate the user for HTTPS
and FTP over HTTP transactions. Due to this limitation, all HTTPS and FTP over HTTP requests bypass
authentication, so authentication is not requested at all. For more information on how HTTPS requests
are assigned Identity and non-Identity policy groups, see
and FTP over HTTP transactions. Due to this limitation, all HTTPS and FTP over HTTP requests bypass
authentication, so authentication is not requested at all. For more information on how HTTPS requests
are assigned Identity and non-Identity policy groups, see
*** No surrogate is used in this case even though cookie-based surrogate is configured.
Bypassing Authentication
Some client applications, such as some instant messaging applications or applets, and servers do not
handle authentication well. For example, some clients do not handle NTLMSSP at all, while others might
not strictly follow the authentication standard. When the Web Proxy processes transactions between
these applications or servers, authentication might fail.
handle authentication well. For example, some clients do not handle NTLMSSP at all, while others might
not strictly follow the authentication standard. When the Web Proxy processes transactions between
these applications or servers, authentication might fail.
You can work around these limitations by bypassing authentication for the affected clients and servers.
To bypass authentication for some client applications and websites:
Table 21-11
Supported Authentication Surrogates
Surrogate
Types
Types
Explicit Requests
Transparent Requests
Credential
Encryption:
Encryption:
Disabled
Enabled
Disabled
Enabled
Protocol:
HTTP
HTTPS &
FTP over
HTTP
FTP over
HTTP
HTTP
HTTPS &
FTP over
HTTP
FTP over
HTTP
HTTP
HTTPS
HTTP
HTTPS
No Surrogate
Yes
Yes
NA
NA
NA
NA
NA
NA
IP-based
Yes
Yes
Yes
Yes
Yes
No/Yes*
Yes
No/Yes*
Cookie-based
Yes
Yes***
Yes
No/Yes**
Yes
No/Yes** Yes
No/Yes**