Cisco Cisco Web Security Appliance S170 Guía Del Usuario
Chapter 20 Authentication
Configuring Global Authentication Settings
20-38
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
Uploading Certificates and Keys to Use with Credential Encryption and SaaS
Access Control
Access Control
When credential encryption is enabled or when using SaaS Access Control, the
appliance uses a digital certificate to securely establish a connection with the
client application. By default, the Web Security appliance uses the “IronPort
Appliance Demo Certificate” that comes installed. However, client applications
are not programmed to recognize this certificate, so you can upload a digital
certificate to the appliance that your applications recognize automatically.
appliance uses a digital certificate to securely establish a connection with the
client application. By default, the Web Security appliance uses the “IronPort
Appliance Demo Certificate” that comes installed. However, client applications
are not programmed to recognize this certificate, so you can upload a digital
certificate to the appliance that your applications recognize automatically.
Use the Advanced section on the Network > Authentication page to upload the
certificate and key.
certificate and key.
For more information on obtaining a certificate and private key pair to upload, see
.
Note
Any certificate and key you upload on the Network > Authentication page is only
used for establishing secure connections with clients for credential encryption and
authenticating SaaS users using SaaS Access Control. The certificate and key are
not used for establishing secure HTTPS sessions when connecting to the Web
Security appliance web interface. For more information on uploading a certificate
and key pair for HTTPS connections to the web interface, see
used for establishing secure connections with clients for credential encryption and
authenticating SaaS users using SaaS Access Control. The certificate and key are
not used for establishing secure HTTPS sessions when connecting to the Web
Security appliance web interface. For more information on uploading a certificate
and key pair for HTTPS connections to the web interface, see
For more information on SaaS Access Control, see
.
Accessing HTTPS and FTP Sites with Credential Encryption Enabled
Credential encryption works because the Web Proxy redirects clients to the Web
Proxy itself for authentication using an HTTPS connection. After successful
authentication, the Web Proxy redirects clients back to the original web site. In
order to continue to identify the user, the Web Proxy must use a surrogate (either
the IP address or a cookie).
Proxy itself for authentication using an HTTPS connection. After successful
authentication, the Web Proxy redirects clients back to the original web site. In
order to continue to identify the user, the Web Proxy must use a surrogate (either
the IP address or a cookie).
However, using a cookie to track users when the client accesses HTTPS sites or
FTP servers using FTP over HTTP does not work.
FTP servers using FTP over HTTP does not work.
•
HTTPS. The Web Proxy must resolve the user identity before assigning a
Decryption Policy (and therefore, decrypt the transaction), but it cannot
obtain the cookie to identify the user unless it decrypts the transaction.
Decryption Policy (and therefore, decrypt the transaction), but it cannot
obtain the cookie to identify the user unless it decrypts the transaction.