Cisco Cisco Web Security Appliance S680 Guía Del Usuario
20-26
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 20 Authentication
Allowing Users to Re-Authenticate
is closed. When the Web Proxy is deployed in transparent mode, and the “Apply same surrogate
settings to explicit forward requests” option is not enabled, no authentication surrogates are used for
explicit forward requests.
settings to explicit forward requests” option is not enabled, no authentication surrogates are used for
explicit forward requests.
Note
To use the re-authentication feature with user defined end-user notification pages, the CGI script that
parses the redirect URL must parse and use the Reauth_URL parameter. For more information, see
parses the redirect URL must parse and use the Reauth_URL parameter. For more information, see
Using Re-Authentication with Internet Explorer
When you enable re-authentication and clients use Microsoft Internet Explorer, you need to verify
certain settings to ensure re-authentication works properly with Internet Explorer. Due to a known issue
with Internet Explorer, re-authentication does not work properly under the following circumstances:
certain settings to ensure re-authentication works properly with Internet Explorer. Due to a known issue
with Internet Explorer, re-authentication does not work properly under the following circumstances:
•
Internet Explorer is configured to use the Web Security appliance as a proxy.
•
The Web Security appliance uses NTLMSSP authentication.
•
The Web Security appliance uses cookies for authentication surrogates, but is not configured for
credential encryption.
credential encryption.
•
The Web Proxy is deployed in explicit forward mode, or it is deployed in transparent mode and the
“Apply same surrogate settings to explicit forward requests” option is enabled in the applicable
Identity group.
“Apply same surrogate settings to explicit forward requests” option is enabled in the applicable
Identity group.
Problems occur when authentication is required to access the site, and may occur either when initially
requesting the site or when re-authenticating to try to access the site.
requesting the site or when re-authenticating to try to access the site.
To work around these problems, enable credential encryption on the Network > Authentication page.
Using Re-Authentication with PAC Files
When you enable re-authentication and configure client applications to use a PAC file, you may need to
verify certain settings to ensure re-authentication works properly with the PAC file.
verify certain settings to ensure re-authentication works properly with the PAC file.
Re-authentication does not work properly under the following circumstances:
•
Client browsers are configured to use a PAC file, and the PAC file is designed to bypass the Web
Proxy for internal web servers. Instead of instructing the browser to explicitly send requests to the
Web Proxy, it instructs the browser to directly send the request to the destination server.
Proxy for internal web servers. Instead of instructing the browser to explicitly send requests to the
Web Proxy, it instructs the browser to directly send the request to the destination server.
•
The Web Security appliance uses IP addresses for authentication surrogates or no surrogates, and
credential encryption is not enabled.
credential encryption is not enabled.
•
The Web Proxy is deployed in explicit forward mode, or it is deployed in transparent mode and the
“Apply same surrogate settings to explicit forward requests” option is enabled for the applicable
Identity group.
“Apply same surrogate settings to explicit forward requests” option is enabled for the applicable
Identity group.
Problems occur because re-authentication requires clients to be redirected to the Web Proxy for
authentication, but the PAC file bypasses all requests to internal web servers, including the Web Security
appliance.
authentication, but the PAC file bypasses all requests to internal web servers, including the Web Security
appliance.
To work around these problems, edit the PAC file so that the function FindProxyForURL() returns
“PROXY x.x.x.x:80” when the host IP address is x.x.x.x. The port number you specify in the return
should the same port configured for other destinations.
“PROXY x.x.x.x:80” when the host IP address is x.x.x.x. The port number you specify in the return
should the same port configured for other destinations.