Cisco Cisco Web Security Appliance S170 Guida Utente
5-25
AsyncOS 8.5 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Credentials
•
No surrogate. By default, the Web Proxy requests authentication for every new connection, but
when re-authentication is enabled, the Web Proxy requests authentication for every new request, so
there is an increased load on the authentication server when using NTLMSSP. The increase in
authentication activity may not be apparent to a user, however, because most browsers will cache
the privileged user credentials and authenticate without prompting until the browser is closed. Also,
when the Web Proxy is deployed in transparent mode, and the “Apply same surrogate settings to
explicit forward requests” option is not enabled, no authentication surrogates are used for explicit
forward requests and increased load will occur with re-authentication.
when re-authentication is enabled, the Web Proxy requests authentication for every new request, so
there is an increased load on the authentication server when using NTLMSSP. The increase in
authentication activity may not be apparent to a user, however, because most browsers will cache
the privileged user credentials and authenticate without prompting until the browser is closed. Also,
when the Web Proxy is deployed in transparent mode, and the “Apply same surrogate settings to
explicit forward requests” option is not enabled, no authentication surrogates are used for explicit
forward requests and increased load will occur with re-authentication.
Note
If the Web Security appliance uses cookies for authentication surrogates, Cisco recommends enabling
credential encryption.
credential encryption.
Credentials
•
•
Credential Format
Credential Encryption for Basic Authentication
About Credential Encryption for Basic Authentication
Enable credential encryption to transmit credentials over HTTPS in encrypted form. This increases
security of the basic authentication process.
security of the basic authentication process.
The Web Security appliance uses its own certificate and private key by default to create an HTTPS
connection with the client for the purposes of secure authentication. Most browsers will warn users,
however, that this certificate is not valid. To prevent users from seeing the invalid certificate message,
you can upload a valid certificate and key pair that your organization uses.
connection with the client for the purposes of secure authentication. Most browsers will warn users,
however, that this certificate is not valid. To prevent users from seeing the invalid certificate message,
you can upload a valid certificate and key pair that your organization uses.
Configuring Credential Encryption
Before You Begin:
•
Configure the appliance to use IP surrogates.
•
(Optional) Obtain a certificate and unencrypted private key. The certificate and key configured here
are also used by Access Control.
are also used by Access Control.
Authentication Scheme
Credential Format
NTLMSSP
MyDomain\jsmith
Basic
jsmith
MyDomain\jsmith
Note
If the user does not enter the Windows domain, the Web Proxy
prepends the default Windows domain.
prepends the default Windows domain.