Cisco Cisco Web Security Appliance S670 ユーザーガイド

Workarounds:

Have users first authenticate with the Web Proxy by requesting a different URL through the browser 
before connecting to a URL that uses POST as a first request. 

Bypass authentication for URLs that use POST as a first request. 

When working with Access Control, you can bypass authentication for the Assertion Consumer 
Service (ACS) URL configured in the Application Authentication Policy.

.

If both the appliance and the upstream proxy use authentication with NTLMSSP, depending on the 
configurations, the appliance and upstream proxy might engage in an infinite loop of requesting 
authentication credentials. For example, if the upstream proxy requires Basic authentication, but the 
appliance requires NTLMSSP authentication, then the appliance can never successfully pass Basic 
credentials to the upstream proxy. This is due to limitations in authentication protocols. 

Configuration:

Web Security appliance and upstream proxy server use Basic authentication.

Credential Encryption is enabled on the downstream Web Security appliance. 

Client requests fail on the upstream proxy because the Web Proxy receives an “Authorization” HTTP 
header from clients, but the upstream proxy server requires a “Proxy-Authorization” HTTP header. 

If your network contains an upstream proxy that does not support FTP connections, then you must create 
a Routing Policy that applies to all Identities and to just FTP requests. Configure that Routing Policy to 
directly connect to FTP servers or to connect to a proxy group whose proxies all support FTP 
connections.