Cisco Cisco Web Security Appliance S370 Guía Del Usuario
5-25
AsyncOS 9.0 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Realms
Step 5
If the Web Proxy is deployed in explicit forward mode, edit the settings as follows:
Setting
Description
Credential Encryption
This setting specifies whether or not the client sends the login credentials to
the Web Proxy through an encrypted HTTPS connection. To enable
credential encryption, choose “HTTPS Redirect (Secure)”. When you
enable credential encryption, additional fields appear to configure how to
redirect clients to the Web Proxy for authentication.
the Web Proxy through an encrypted HTTPS connection. To enable
credential encryption, choose “HTTPS Redirect (Secure)”. When you
enable credential encryption, additional fields appear to configure how to
redirect clients to the Web Proxy for authentication.
This setting applies to both Basic and NTLMSSP authentication schemes,
but it is particularly useful for Basic authentication scheme because user
credentials are sent as plain text.
but it is particularly useful for Basic authentication scheme because user
credentials are sent as plain text.
For more information, see
.
HTTPS Redirect Port
Specify a TCP port to use for redirecting requests for authenticating users
over an HTTPS connection.
over an HTTPS connection.
This specifies through which port the client will open a connection to the
Web Proxy using HTTPS. This occurs when credential encryption is enabled
or when using Access Control and users are prompted to authenticate.
Web Proxy using HTTPS. This occurs when credential encryption is enabled
or when using Access Control and users are prompted to authenticate.
Redirect Hostname
Enter the short host name of the network interface on which the Web Proxy
listens for incoming connections.
listens for incoming connections.
When you enable Authentication Mode above, the Web Proxy uses this
hostname in the redirection URL sent to clients for authenticating users.
hostname in the redirection URL sent to clients for authenticating users.
You can enter either the following values:
•
Single word hostname. You can enter the single word host name that is
DNS resolvable by the client and the Web Security appliance. This
allows clients to achieve true single sign-on with Internet Explorer
without additional browser side setup.
Be sure to enter the single word host name that is DNS resolvable by the
client and the Web Security appliance.
For example, if your clients are in domain
DNS resolvable by the client and the Web Security appliance. This
allows clients to achieve true single sign-on with Internet Explorer
without additional browser side setup.
Be sure to enter the single word host name that is DNS resolvable by the
client and the Web Security appliance.
For example, if your clients are in domain
mycompany.com
and the
interface on which the Web Proxy is listening has a full host name of
proxy.mycompany.com
, then you should enter
proxy
in this field. Clients
perform a lookup on
proxy
and they should be able to resolve
proxy.mycompany.com
.
•
Fully qualified domain name (FQDN). You can also enter the FQDN
or IP address in this field. However, if you do that and want true single
sign-on for Internet Explorer and Firefox browsers, you must ensure
that the FQDN or IP address is added to the client’s Trusted Sites list in
the client browsers.
The default value is the FQDN of the M1 or P1 interface, depending on
which interface is used for proxy traffic.
or IP address in this field. However, if you do that and want true single
sign-on for Internet Explorer and Firefox browsers, you must ensure
that the FQDN or IP address is added to the client’s Trusted Sites list in
the client browsers.
The default value is the FQDN of the M1 or P1 interface, depending on
which interface is used for proxy traffic.
Credential Cache
Options:
Options:
Surrogate Timeout
This setting specifies how long the Web Proxy waits before asking the client
for authentication credentials again. Until the Web Proxy asks for credentials
again, it uses the value stored in the surrogate (IP address or cookie).
for authentication credentials again. Until the Web Proxy asks for credentials
again, it uses the value stored in the surrogate (IP address or cookie).
Note that it is common for user agents, such as browsers, to cache the
authentication credentials so the user will not be prompted to enter
credentials each time.
authentication credentials so the user will not be prompted to enter
credentials each time.