Cisco Cisco Web Security Appliance S690 Guida Utente
5-23
AsyncOS 9.0.1 for Cisco Web Security Appliances User Guide
Chapter 5 Acquire End-User Credentials
Authentication Realms
Step 4
If the Web Proxy is deployed in transparent mode, edit the settings as follows:
Setting
Description
Credential Encryption
This setting specifies whether or not the client sends the login credentials to
the Web Proxy through an encrypted HTTPS connection.
the Web Proxy through an encrypted HTTPS connection.
This setting applies to both Basic and NTLMSSP authentication schemes,
but it is particularly useful for Basic authentication scheme because user
credentials are sent as plain text.
but it is particularly useful for Basic authentication scheme because user
credentials are sent as plain text.
For more information, see
HTTPS Redirect Port
Specify a TCP port to use for redirecting requests for authenticating users
over an HTTPS connection.
over an HTTPS connection.
This specifies through which port the client will open a connection to the
Web Proxy using HTTPS. This occurs when credential encryption is enabled
or when using Access Control and users are prompted to authenticate.
Web Proxy using HTTPS. This occurs when credential encryption is enabled
or when using Access Control and users are prompted to authenticate.
Redirect Hostname
Enter the short hostname of the network interface on which the Web Proxy
listens for incoming connections.
listens for incoming connections.
When you configure authentication on an appliance deployed in transparent
mode, the Web Proxy uses this hostname in the redirection URL sent to
clients for authenticating users.
mode, the Web Proxy uses this hostname in the redirection URL sent to
clients for authenticating users.
You can enter either the following values:
•
Single word hostname. You can enter the single word hostname that is
DNS resolvable by the client and the Web Security appliance. This
allows clients to achieve true single sign-on with Internet Explorer
without additional browser side setup.
Be sure to enter the single word hostname that is DNS resolvable by the
client and the Web Security appliance.
For example, if your clients are in domain
DNS resolvable by the client and the Web Security appliance. This
allows clients to achieve true single sign-on with Internet Explorer
without additional browser side setup.
Be sure to enter the single word hostname that is DNS resolvable by the
client and the Web Security appliance.
For example, if your clients are in domain
mycompany.com
and the
interface on which the Web Proxy is listening has a full hostname of
proxy.mycompany.com
, then you should enter
proxy
in this field.
Clients perform a lookup on
proxy
and they should be able to resolve
proxy.mycompany.com
.
•
Fully qualified domain name (FQDN). You can also enter the FQDN
or IP address in this field. However, if you do that and want true single
sign-on for Internet Explorer and Firefox browsers, you must ensure
that the FQDN or IP address is added to the client’s Trusted Sites list in
the client browsers.
The default value is the FQDN of the M1 or P1 interface, depending on
which interface is used for proxy traffic.
or IP address in this field. However, if you do that and want true single
sign-on for Internet Explorer and Firefox browsers, you must ensure
that the FQDN or IP address is added to the client’s Trusted Sites list in
the client browsers.
The default value is the FQDN of the M1 or P1 interface, depending on
which interface is used for proxy traffic.
Credential Cache
Options:
Options:
Surrogate Timeout
This setting specifies how long the Web Proxy waits before asking the client
for authentication credentials again. Until the Web Proxy asks for credentials
again, it uses the value stored in the surrogate (IP address or cookie).
for authentication credentials again. Until the Web Proxy asks for credentials
again, it uses the value stored in the surrogate (IP address or cookie).
It is common for user agents, such as browsers, to cache the authentication
credentials so the user will not be prompted to enter credentials each time.
credentials so the user will not be prompted to enter credentials each time.