Cisco Cisco Web Security Appliance S170 Guida Utente
384
I R O N P O R T A S Y N C O S 6 . 5 F O R W E B U S E R G U I D E
unencrypted
. For information about uploading a certificate and key, see “Uploading
To configure the appliance to use credential encryption, enable the Credential Encryption
setting in the global authentication settings. For more information, see “Configuring Global
Authentication Settings” on page 373. You can also use the
setting in the global authentication settings. For more information, see “Configuring Global
Authentication Settings” on page 373. You can also use the
advancedproxyconfig >
authentication
CLI command. For more information, see “Advanced Proxy Configuration”
Uploading Certificates and Keys to Use with Credential Encryption
When credential encryption is enabled, the appliance uses a digital certificate to securely
establish a connection with the client application. By default, the Web Security appliance
uses the “IronPort Appliance Demo Certificate” that comes installed. However, client
applications are not programmed to recognize this certificate, so you can upload a digital
certificate to the appliance that your applications recognize automatically.
establish a connection with the client application. By default, the Web Security appliance
uses the “IronPort Appliance Demo Certificate” that comes installed. However, client
applications are not programmed to recognize this certificate, so you can upload a digital
certificate to the appliance that your applications recognize automatically.
Use the Advanced section on the Network > Authentication page to upload the certificate and
key.
key.
Note — When AsyncOS for Web runs on a FIPS-compliant Web Security appliance, you must
use the FIPS management console to generate or upload the root certificate and key pair.
When you generate or upload certificates and keys using the FIPS management console, the
keys are protected by the HSM card. For more information on using the FIPS management
console, see “FIPS Management” on page 67.
use the FIPS management console to generate or upload the root certificate and key pair.
When you generate or upload certificates and keys using the FIPS management console, the
keys are protected by the HSM card. For more information on using the FIPS management
console, see “FIPS Management” on page 67.
For more information on obtaining a certificate and private key pair to upload, see “Obtaining
Certificates” on page 534.
Certificates” on page 534.
Note — Any certificate and key you upload on the Network > Authentication page is only
used for establishing secure connections with clients for credential encryption. The certificate
and key are not used for establishing secure HTTPS sessions when connecting to the Web
Security appliance web interface. For more information on uploading a certificate and key
pair for HTTPS connections to the web interface, see “Installing a Server Digital Certificate”
on page 534.
used for establishing secure connections with clients for credential encryption. The certificate
and key are not used for establishing secure HTTPS sessions when connecting to the Web
Security appliance web interface. For more information on uploading a certificate and key
pair for HTTPS connections to the web interface, see “Installing a Server Digital Certificate”
on page 534.
Accessing HTTPS and FTP Sites with Credential Encryption Enabled
Credential encryption works because the Web Proxy redirects clients to the Web Proxy itself
for authentication using an HTTPS connection. After successful authentication, the Web
Proxy redirects clients back to original web site. In order to continue to identify the user, the
Web Proxy must use a surrogate (either the IP address or a cookie).
for authentication using an HTTPS connection. After successful authentication, the Web
Proxy redirects clients back to original web site. In order to continue to identify the user, the
Web Proxy must use a surrogate (either the IP address or a cookie).
However, using a cookie to track users when the client accesses HTTPS sites or FTP servers
using FTP over HTTP does not work.
using FTP over HTTP does not work.
• HTTPS. The Web Proxy must resolve the user identity before assigning a Decryption
Policy (and therefore, decrypt the transaction), but it cannot obtain the cookie to identify
the user unless it decrypts the transaction.
the user unless it decrypts the transaction.