Cisco Cisco Web Security Appliance S160 Guía Del Usuario
A-18
AsyncOS 8.7 for Cisco Web Security Appliances User Guide
Appendix A Troubleshooting
Upstream Proxy Problems
Note
When working with Access Control, you can bypass authentication for the Assertion Consumer
Service (ACS) URL configured in the Application Authentication Policy.
Service (ACS) URL configured in the Application Authentication Policy.
Related Topics
•
Bypassing Authentication, page 5-20
.
Upstream Proxy Problems
•
•
Upstream Proxy Does Not Receive Basic Credentials
If both the appliance and the upstream proxy use authentication with NTLMSSP, depending on the
configurations, the appliance and upstream proxy might engage in an infinite loop of requesting
authentication credentials. For example, if the upstream proxy requires Basic authentication, but the
appliance requires NTLMSSP authentication, then the appliance can never successfully pass Basic
credentials to the upstream proxy. This is due to limitations in authentication protocols.
configurations, the appliance and upstream proxy might engage in an infinite loop of requesting
authentication credentials. For example, if the upstream proxy requires Basic authentication, but the
appliance requires NTLMSSP authentication, then the appliance can never successfully pass Basic
credentials to the upstream proxy. This is due to limitations in authentication protocols.
Client Requests Fail Upstream Proxy
Configuration:
•
Web Security appliance and upstream proxy server use Basic authentication.
•
Credential Encryption is enabled on the downstream Web Security appliance.
Client requests fail on the upstream proxy because the Web Proxy receives an “Authorization” HTTP
header from clients, but the upstream proxy server requires a “Proxy-Authorization” HTTP header.
header from clients, but the upstream proxy server requires a “Proxy-Authorization” HTTP header.
Unable to Route FTP Requests Via an Upstream Proxy
If your network contains an upstream proxy that does not support FTP connections, then you must create
a Routing Policy that applies to all Identities and to just FTP requests. Configure that Routing Policy to
directly connect to FTP servers or to connect to a proxy group whose proxies all support FTP
connections.
a Routing Policy that applies to all Identities and to just FTP requests. Configure that Routing Policy to
directly connect to FTP servers or to connect to a proxy group whose proxies all support FTP
connections.
Virtual Appliances
Do Not Use Power Off or Reset Options During AsyncOS Startup
The following actions on your virtual host are the equivalent of pulling the plug on a hardware appliance
and are not supported, especially during AsyncOS startup:
and are not supported, especially during AsyncOS startup: