Cisco Cisco Web Security Appliance S370 Guía Del Usuario
S E N D I N G A U T H E N T I C A T I O N C R E D E N T I A L S S E C U R E L Y
C H A P T E R 1 6 : A U T H E N T I C A T I O N
363
5. Submit and commit your changes.
Sending Authentication Credentials Securely
When authentication is used to identify clients using the Web, the client applications send the
authentication credentials to the Web Proxy, which in turn passes them to the authentication
server. How the credentials are passed from the clients to the Web Proxy depends on the
authentication scheme used:
authentication credentials to the Web Proxy, which in turn passes them to the authentication
server. How the credentials are passed from the clients to the Web Proxy depends on the
authentication scheme used:
• NTLMSSP. The credentials are always passed to the Web Proxy securely. They are
encrypted using a key specified by the Active Directory server and sent over HTTP.
• Basic. By default, the credentials are passed to the Web Proxy insecurely. They are
encoded, but not encrypted, and sent over HTTP. However, you can configure the Web
Security appliance so clients send authentication credentials securely. This works for both
LDAP and NTLM Basic authentication.
Security appliance so clients send authentication credentials securely. This works for both
LDAP and NTLM Basic authentication.
When you configure the appliance to use credential encryption for Basic authentication, the
Web Proxy redirects the client back to the Web Proxy, but this time using an encrypted
connection using HTTPS. The client application makes either a GET or a CONNECT request
depending on how the requests are forwarded to the appliance (explicitly or transparently)
and how the client application is configured to forward HTTPS requests, either using the Web
Proxy or not.
Web Proxy redirects the client back to the Web Proxy, but this time using an encrypted
connection using HTTPS. The client application makes either a GET or a CONNECT request
depending on how the requests are forwarded to the appliance (explicitly or transparently)
and how the client application is configured to forward HTTPS requests, either using the Web
Proxy or not.
Then, using the secure HTTPS connection, the clients send the authentication credentials. The
appliance uses its own certificate and private key to create an HTTPS connection with the
client by default. Most browsers will warn users that the certificate is not valid. To prevent
users from seeing the invalid certificate message, you can upload a certificate and key pair
your organization uses. When you upload a certificate and key, the private key must be
unencrypted
appliance uses its own certificate and private key to create an HTTPS connection with the
client by default. Most browsers will warn users that the certificate is not valid. To prevent
users from seeing the invalid certificate message, you can upload a certificate and key pair
your organization uses. When you upload a certificate and key, the private key must be
unencrypted
. For information about uploading a certificate and key, see “Uploading
Credential Cache Options:
Cache Size
Cache Size
Specifies the number of entries that are stored in the
authentication cache. Set this value to safely accommodate
the number of users that are actually using this device. The
default value is the recommended setting.
authentication cache. Set this value to safely accommodate
the number of users that are actually using this device. The
default value is the recommended setting.
Advanced
(Secure Authentication
Certificate)
(Secure Authentication
Certificate)
When Credential Encryption is enabled to use a secure
connection using HTTPS, you can choose whether the
appliance uses the digital certificate and key shipped with
the appliance or a digital certificate and key you upload
here.
To upload a digital certificate and key, click Browse and
navigate to the necessary file on your local machine. Then
click Upload Files after you select the files you want.
connection using HTTPS, you can choose whether the
appliance uses the digital certificate and key shipped with
the appliance or a digital certificate and key you upload
here.
To upload a digital certificate and key, click Browse and
navigate to the necessary file on your local machine. Then
click Upload Files after you select the files you want.
Table 16-10 Explicit Forward Proxy Mode Authentication Settings (Continued)
Setting
Description