Cisco Cisco Web Security Appliance S170 ユーザーガイド
20-24
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 20 Authentication
Sending Authentication Credentials Securely
Then, using the secure HTTPS connection, the clients send the authentication credentials. The appliance
uses its own certificate and private key to create an HTTPS connection with the client by default. Most
browsers will warn users that the certificate is not valid. To prevent users from seeing the invalid
certificate message, you can upload a certificate and key pair your organization uses. When you upload
a certificate and key, the private key must be unencrypted. For information about uploading a certificate
and key, see
uses its own certificate and private key to create an HTTPS connection with the client by default. Most
browsers will warn users that the certificate is not valid. To prevent users from seeing the invalid
certificate message, you can upload a certificate and key pair your organization uses. When you upload
a certificate and key, the private key must be unencrypted. For information about uploading a certificate
and key, see
To configure the appliance to use credential encryption, enable the Credential Encryption setting in the
global authentication settings. For more information, see
global authentication settings. For more information, see
. You can also use the
advancedproxyconfig > authentication
CLI command. For more
information, see
.
Uploading Certificates and Keys to Use with Credential Encryption and SaaS
Access Control
Access Control
When credential encryption is enabled or when using SaaS Access Control, the appliance uses a digital
certificate to securely establish a connection with the client application. By default, the Web Security
appliance uses the “Cisco IronPort Web Security Appliance Demo Certificate” that comes installed.
However, client applications are not programmed to recognize this certificate, so you can upload a digital
certificate to the appliance that your applications recognize automatically.
certificate to securely establish a connection with the client application. By default, the Web Security
appliance uses the “Cisco IronPort Web Security Appliance Demo Certificate” that comes installed.
However, client applications are not programmed to recognize this certificate, so you can upload a digital
certificate to the appliance that your applications recognize automatically.
Use the Advanced section on the Network > Authentication page to upload the certificate and key.
For more information on obtaining a certificate and private key pair to upload, see
.
Note
Any certificate and key you upload on the Network > Authentication page is only used for establishing
secure connections with clients for credential encryption and authenticating SaaS users using SaaS
Access Control. The certificate and key are not used for establishing secure HTTPS sessions when
connecting to the Web Security appliance web interface. For more information on uploading a certificate
and key pair for HTTPS connections to the web interface, see
secure connections with clients for credential encryption and authenticating SaaS users using SaaS
Access Control. The certificate and key are not used for establishing secure HTTPS sessions when
connecting to the Web Security appliance web interface. For more information on uploading a certificate
and key pair for HTTPS connections to the web interface, see
For more information on SaaS Access Control, see
.
Accessing HTTPS and FTP Sites with Credential Encryption Enabled
Credential encryption works because the Web Proxy redirects clients to the Web Proxy itself for
authentication using an HTTPS connection. After successful authentication, the Web Proxy redirects
clients back to the original website. In order to continue to identify the user, the Web Proxy must use a
surrogate (either the IP address or a cookie).
authentication using an HTTPS connection. After successful authentication, the Web Proxy redirects
clients back to the original website. In order to continue to identify the user, the Web Proxy must use a
surrogate (either the IP address or a cookie).
However, using a cookie to track users when the client accesses HTTPS sites or FTP servers using FTP
over HTTP does not work.
over HTTP does not work.
•
HTTPS. The Web Proxy must resolve the user identity before assigning a Decryption Policy (and
therefore, decrypt the transaction), but it cannot obtain the cookie to identify the user unless it
decrypts the transaction.
therefore, decrypt the transaction), but it cannot obtain the cookie to identify the user unless it
decrypts the transaction.