Cisco Cisco Web Security Appliance S680 Guía Del Usuario
340
I R O N P O R T A S Y N C O S 6 . 3 F O R W E B U S E R G U I D E
The following subsections describe these methods of authentication in more detail.
Explicit Forward Deployment, Basic Authentication
When a client explicitly sends a web page request to a Web Security appliance deployed in
explicit forward mode, the Web Proxy can reply to the client with a 407 HTTP response
“Proxy Authentication Required.” This status informs the client that it must supply valid
authentication credentials to access web resources.
explicit forward mode, the Web Proxy can reply to the client with a 407 HTTP response
“Proxy Authentication Required.” This status informs the client that it must supply valid
authentication credentials to access web resources.
The authentication process comprises these steps:
1. Client sends a request to the Web Proxy to connect to a web page.
2. Web Proxy responds with a 407 HTTP response “Proxy Authentication Required.”
3. User enters credentials, and client application resends the original request with the
credentials encoded in Base64 (not encrypted) in a “Proxy-Authorization” HTTP header.
4. Web Proxy verifies the credentials and returns the requested web page.
Table 16-4 lists advantages and disadvantages of using explicit forward Basic authentication.
Transparent Deployment, Basic Authentication
The 407 HTTP response “Proxy Authentication Required” is allowed from proxy servers only.
However, when the Web Proxy is deployed in transparent mode, its existence is hidden from
client applications on the network. Therefore, the Web Proxy cannot return a 407 response.
However, when the Web Proxy is deployed in transparent mode, its existence is hidden from
client applications on the network. Therefore, the Web Proxy cannot return a 407 response.
To address this problem, the authentication process comprises these steps:
1. Client sends a request to a web page and the Web Proxy transparently intercepts it.
Explicit forward
NTLM
NTLMSSP
Transparent
NTLM
NTLMSSP
Table 16-4 Pros and Cons of Explicit Forward Basic Authentication
Advantages
Disadvantages
• RFC-based
• Supported by all browsers and most other
• Supported by all browsers and most other
applications
• Minimal overhead
• Works for HTTPS (CONNECT) requests
• Works for HTTPS (CONNECT) requests
• Password sent as clear text (Base64) for every
request
• No single sign-on
Table 16-3 Methods of Authentication (Continued)
Web Proxy
Deployment
Deployment
Client to Web Security
Appliance
Appliance
Web Security Appliance to
Authentication Server
Authentication Server