Blue Coat Systems Time Clock Proxy SG Manuale Utente
Chapter 4: Property Reference
163
authenticate.mode( )
Using the
authentication.mode( )
property selects a combination of challenge type and surrogate
credentials.
Challenge type is what kind of challenge (proxy, origin or origin-redirect) is issued.
Surrogate credentials are credentials accepted in place of the user’s real credentials. They are used for a
variety of reasons. Blue Coat supports three kinds of surrogate credentials.
variety of reasons. Blue Coat supports three kinds of surrogate credentials.
•
IP surrogate credentials authenticate the user based on the IP address of the client. Once any client
has been successfully authenticated, all future requests from that IP address are assumed to be
from the same user.
has been successfully authenticated, all future requests from that IP address are assumed to be
from the same user.
•
Cookie surrogate credentials use a cookie constructed by the ProxySG as a surrogate. The cookie
contains information about the user, so multiple users from the same IP address can be
distinguished. The cookie contains a temporary password to authenticate the cookie; this
password expires when the credential cache entry expires.
contains information about the user, so multiple users from the same IP address can be
distinguished. The cookie contains a temporary password to authenticate the cookie; this
password expires when the credential cache entry expires.
•
Connection surrogate credentials use the TCP/IP connection to authenticate the user. Once
authentication is successful, the connection is marked authenticated and all future requests on that
connection are considered to be from the same user.
authentication is successful, the connection is marked authenticated and all future requests on that
connection are considered to be from the same user.
In SGOS 3.1.x, the connection’s authentication information includes the realm in which it was
authenticated. The surrogate credentials are accepted only if the current transaction’s realm matches
the realm in which the session was authenticated.
authenticated. The surrogate credentials are accepted only if the current transaction’s realm matches
the realm in which the session was authenticated.
Syntax
authenticate.mode(mode_type)
where
mode_type
is one of the following, shown followed by the implied challenge type and surrogate
credential:
•
auto
—Allows the ProxySG to make a best effort to determine a suitable authentication
mechanism for the transaction. For streaming transactions,
authenticate.mode(auto)
uses
origin mode.
•
legacy
—The default for systems upgraded from SGOS 2.x.
•
proxy
(proxy/connection)—Specifies a normal forward proxy. In some situations proxy challenges
will not work; origin challenges are then issued.
•
proxy-ip
(proxy/IP)—Specifies an insecure forward proxy, possibly suitable for LANs of
single-user workstations. Mode switching occurs as for proxy.
•
origin
(origin/connection)—Acts as a normal Web server. In this case, no forwarding of
credentials is needed.
•
origin-ip
(origin/IP)
—
Used to support NTLM authentication to the upstream device, and the
client cannot handle cookie credentials. This mode is primarily used for automatic downgrading,
but it can be selected for specific situations.
but it can be selected for specific situations.
This mode is insecure: after a user has authenticated from an IP address, all further requests from
that IP address are treated as from that user. If the client is behind a NAT, or on a multi-user
system, this can present a serious security problem.
that IP address are treated as from that user. If the client is behind a NAT, or on a multi-user
system, this can present a serious security problem.