Cisco Cisco Web Security Appliance S170 사용자 가이드
W O R K I N G W I T H U P S T R E A M P R O X Y S E R V E R S
C H A P T E R 1 7 : A U T H E N T I C A T I O N
355
method for prompting users to provide their user names and passwords. These applications
cannot be used when the Web Security appliance is deployed in transparent mode.
cannot be used when the Web Security appliance is deployed in transparent mode.
The following is a partial list of applications that do not work when the appliance is deployed
in transparent mode:
in transparent mode:
• Mozilla Thunderbird
• Adobe Acrobat Updates
• HttpBridge
• Subversion, by CollabNet
• Microsoft Windows Update
• Microsoft Visual Studio
Note — If users need to access a particular URL using one of these client applications, then
create an Identity based on a custom URL category that does not require authentication and
place the Identity above all other Identities that require authentication. When you do this, the
client application will not be asked for authentication.
create an Identity based on a custom URL category that does not require authentication and
place the Identity above all other Identities that require authentication. When you do this, the
client application will not be asked for authentication.
Working with Upstream Proxy Servers
When the Web Security appliance is connected to an upstream proxy server, you can
configure the appliance or the upstream proxy to use authentication, but not both. IronPort
recommends configuring the Web Security appliance to use authentication. This allows you
to create policies based on user authentication.
configure the appliance or the upstream proxy to use authentication, but not both. IronPort
recommends configuring the Web Security appliance to use authentication. This allows you
to create policies based on user authentication.
If both the appliance and the upstream proxy use authentication, depending on the
configurations, the appliance and upstream proxy might engage in an infinite loop of
requesting authentication credentials. For example, if the upstream proxy requires Basic
authentication, but the appliance requires NTLMSSP authentication, then the appliance can
never successfully pass Basic credentials to the upstream proxy. This is due to limitations in
authentication protocols.
configurations, the appliance and upstream proxy might engage in an infinite loop of
requesting authentication credentials. For example, if the upstream proxy requires Basic
authentication, but the appliance requires NTLMSSP authentication, then the appliance can
never successfully pass Basic credentials to the upstream proxy. This is due to limitations in
authentication protocols.
Authenticating Users
When users access the web through the Web Security appliance, they might get prompted to
enter a user name and password. The Web Proxy requires authentication credentials for some
users depending on the configured Identity and Access Policy groups. Users should enter the
user name and password of the credentials recognized by the organization’s authentication
server.
enter a user name and password. The Web Proxy requires authentication credentials for some
users depending on the configured Identity and Access Policy groups. Users should enter the
user name and password of the credentials recognized by the organization’s authentication
server.
When the Web Proxy uses NTLMSSP authentication with an NTLM authentication realm,
users are typically not prompted to enter a user name and password if single sign-on is
configured correctly. However, if users are prompted for authentication, they must type the
name of their Windows domain before their user name. For example, if user jsmith is on
Windows domain MyDomain, then the user should type the following text in the user name
field:
users are typically not prompted to enter a user name and password if single sign-on is
configured correctly. However, if users are prompted for authentication, they must type the
name of their Windows domain before their user name. For example, if user jsmith is on
Windows domain MyDomain, then the user should type the following text in the user name
field: