Cisco Cisco Web Security Appliance S170 사용자 가이드
20-10
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 20 Authentication
Authentication Realms
lists advantages and disadvantages of using explicit forward NTLM authentication.
Transparent Deployment, NTLM Authentication
Transparent NTLM authentication is similar to transparent Basic authentication except that the Web
Proxy communicates with clients using NTLMSSP instead of Basic. However, with transparent NTLM
authentication, the authentication credentials are not sent in the clear to the authentication server.
Proxy communicates with clients using NTLMSSP instead of Basic. However, with transparent NTLM
authentication, the authentication credentials are not sent in the clear to the authentication server.
For more information, see
.
The advantages and disadvantages of using transparent NTLM authentication are the same as those of
using transparent Basic authentication except that transparent NTLM authentication is better because the
password is not sent to the authentication server and you can achieve single sign-on when the client
applications are configured to trust the Web Security appliance. For more information on the advantages
and disadvantages of transparent Basic authentication, see
using transparent Basic authentication except that transparent NTLM authentication is better because the
password is not sent to the authentication server and you can achieve single sign-on when the client
applications are configured to trust the Web Security appliance. For more information on the advantages
and disadvantages of transparent Basic authentication, see
.
Authentication Realms
An authentication realm is a set of authentication servers (or a single server) supporting a single
authentication protocol with a particular configuration.
authentication protocol with a particular configuration.
You can perform any of the following tasks when configuring authentication:
•
Include up to three authentication servers in a realm.
•
Create zero or more LDAP realms.
•
Create between zero and 10 NTLM realms.
•
Include an authentication server in multiple realms.
•
Include one or more realms in an authentication sequence.
•
Include realms of different protocols in a single authentication sequence, but only one NTLM realm
can use NTLMSSP in the sequence.
can use NTLMSSP in the sequence.
•
Assign a realm or a sequence to an Identity group.
You create, edit, and delete authentication realms on the Network > Authentication page under the
Authentication Realms section.
Authentication Realms section.
When you create two or more realms, you can order them in an authentication sequence. For more
information, see
information, see
.
Table 20-7
Pros and Cons of Explicit Forward NTLM Authentication
Advantages
Disadvantages
•
Because the password is not transmitted to the
authentication server, it is more secure
authentication server, it is more secure
•
Connection is authenticated, not the host or IP address
•
Achieves true single sign-on in an Active Directory
environment when the client applications are
configured to trust the Web Security appliance
environment when the client applications are
configured to trust the Web Security appliance
•
Moderate overhead: each new
connection needs to be
re-authenticated
connection needs to be
re-authenticated
•
Primarily supported on Windows only
and with major browsers only
and with major browsers only