Cisco Cisco Web Security Appliance S170 사용자 가이드

 summarizes the previous information. 

You define the authentication scheme for each Identity group, not at each realm or sequence. That means 
you can use the same NTLM realm or a sequence that contains an NTLM realm and use it in Identity 
groups that use either the NTLMSSP, Basic, or “Basic or NTLMSSP” authentication schemes.

The Web Proxy communicates which scheme(s) it supports to the client application at the beginning of 
a transaction. The Identity group currently in use determines which scheme(s) it supports. When the Web 
Proxy informs the client application that it supports both Basic and NTLMSSP, the client application 
chooses which scheme to use in the transaction.

Some client applications, such as Internet Explorer, always choose NTLMSSP when given a choice 
between NTLMSSP and Basic. This might cause a user to not pass authentication when all of the 
following conditions are true:

The Identity group uses a sequence that contains both LDAP and NTLM realms.

The Identity group uses the “Basic or NTLMSSP” authentication scheme.

No Surrogate

HTTPS and FTP over HTTP requests 
are matched like HTTP requests.

N/A

IP-based

HTTPS and FTP over HTTP requests 
are matched like HTTP requests.

FTP over HTTP requests are matched like 
HTTP requests.

HTTPS requests are matched like HTTP 
requests under any of the following 
conditions:

A previous HTTP request was 
authenticated using an identity with an 
IP-based surrogate.

A previous HTTP request was not 
authenticated, but the HTTPS Proxy is 
configured to decrypt the first HTTPS 
request. 

Otherwise, if a previous HTTP request was 
not authenticated and the HTTPS Proxy is 
configured to deny the request, the HTTPS 
request fails.

Cookie-based

The client is not prompted for 
authentication.

Note: When credential encryption is 
disabled, no surrogates are used, and 
HTTPS requests are matched like HTTP 
requests.

The client is not prompted for 
authentication.