Cisco Cisco Web Security Appliance S390 ユーザーガイド
A-13
AsyncOS 8.7 for Cisco Web Security Appliances User Guide
Appendix A Troubleshooting
Policy Problems
encryption is enabled. After successful authentication, the Web Proxy redirects clients back to the
original website. In order to continue to identify the user, the Web Proxy must use a surrogate (either the
IP address or a cookie). However, using a cookie to track users results in the following behavior if
requests use HTTPS or FTP over HTTP:
original website. In order to continue to identify the user, the Web Proxy must use a surrogate (either the
IP address or a cookie). However, using a cookie to track users results in the following behavior if
requests use HTTPS or FTP over HTTP:
•
HTTPS. The Web Proxy must resolve the user identity before assigning a Decryption Policy (and
therefore, decrypt the transaction), but it cannot obtain the cookie to identify the user unless it
decrypts the transaction.
therefore, decrypt the transaction), but it cannot obtain the cookie to identify the user unless it
decrypts the transaction.
•
FTP over HTTP. The dilemma with accessing FTP servers using FTP over HTTP is similar to
accessing HTTPS sites. The Web Proxy must resolve the user identity before assigning an Access
Policy, but it cannot set the cookie from the FTP transaction.
accessing HTTPS sites. The Web Proxy must resolve the user identity before assigning an Access
Policy, but it cannot set the cookie from the FTP transaction.
Therefore, HTTPS and FTP over HTTP requests will match only Access Policies that do not require
authentication. Typically, they match the global Access Policy because it never requires authentication.
authentication. Typically, they match the global Access Policy because it never requires authentication.
User Matches Global Policy for HTTPS and FTP over HTTP Requests
When the appliance uses cookie-based authentication, the Web Proxy does not get cookie information
from clients for HTTPS and FTP over HTTP requests. Therefore, it cannot get the user name from the
cookie.
from clients for HTTPS and FTP over HTTP requests. Therefore, it cannot get the user name from the
cookie.
HTTPS and FTP over HTTP requests still match the Identification Profile according to the other
membership criteria, but the Web Proxy does not prompt clients for authentication even if the
Identification Profile requires authentication. Instead, the Web Proxy sets the user name to NULL and
considers the user as unauthenticated.
membership criteria, but the Web Proxy does not prompt clients for authentication even if the
Identification Profile requires authentication. Instead, the Web Proxy sets the user name to NULL and
considers the user as unauthenticated.
Then, when the unauthenticated request is evaluated against a policy, it matches only a policy that
specifies “All Identities” and apply to “All Users.” Typically, this is the global policy, such as the global
Access Policy.
specifies “All Identities” and apply to “All Users.” Typically, this is the global policy, such as the global
Access Policy.
User Assigned Incorrect Access Policy
•
Clients on your network use Network Connectivity Status Indicator (NCSI)
•
Web Security appliance uses NTLMSSP authentication.
•
Identification Profile uses IP based surrogates
A user might be identified using the machine credentials instead of the user’s own credentials, and as a
result, might be assigned to an incorrect Access Policy.
result, might be assigned to an incorrect Access Policy.
Workaround:
•
Reduce the surrogate timeout value for machine credentials.
Step 1
Use the advancedproxyconfig > authentication CLI command.
Step 2
Enter the surrogate timeout for machine credentials.
Policy Troubleshooting Tool: Policy Trace
•
•