Cisco Cisco Web Security Appliance S190 사용자 가이드
130
I R O N P O R T A S Y N C O S 6 . 3 F O R W E B U S E R G U I D E
• No information available from a previous HTTP request. When the Web Proxy has no
credential information for the client, then it fails the HTTPS request.
• Cookie-based authentication surrogates and transparent requests. When the appliance
uses cookie-based authentication, the Web Proxy does not get cookie information from
clients for HTTPS and FTP over HTTP requests. Therefore, it cannot get the user name
from the cookie. In this situation, HTTPS and FTP over HTTP requests still match the
Identity group according to the other membership criteria, but the Web Proxy does not
prompt clients for authentication even if the Identity group requires authentication.
Instead, the Web Proxy sets the user name to NULL and considers the user as
unauthenticated
clients for HTTPS and FTP over HTTP requests. Therefore, it cannot get the user name
from the cookie. In this situation, HTTPS and FTP over HTTP requests still match the
Identity group according to the other membership criteria, but the Web Proxy does not
prompt clients for authentication even if the Identity group requires authentication.
Instead, the Web Proxy sets the user name to NULL and considers the user as
unauthenticated
. Then, when the unauthenticated request is evaluated against the non-
Identity policy groups, it only matches non-Identity groups that specify “All Identities” and
apply to “All Users.” Typically, this is the global policy, such as the global Access Policy.
For a diagram of how this occurs, see Figure 7-3 on page 134.
apply to “All Users.” Typically, this is the global policy, such as the global Access Policy.
For a diagram of how this occurs, see Figure 7-3 on page 134.
• Cookie-based authentication surrogates and explicit requests. The behavior is different,
depending on whether or not credential encryption is enabled:
• Credential encryption enabled. The behavior is the same as cookie-based
authentication with transparent requests, as described above.
• Credential encryption disabled. The Web Proxy uses no surrogates and HTTPS and
FTP over HTTP requests are authenticated and matched to Identity groups like HTTP
requests. For a diagram of how this occurs, see Figure 7-2 on page 133.
requests. For a diagram of how this occurs, see Figure 7-2 on page 133.
Table 7-1 summarizes the information described above.
Table 7-1 Matching HTTPS and FTP over HTTP Requests to Identities
Surrogate
Types
Types
Explicit Requests
Transparent Requests
No Surrogate
HTTPS and FTP over HTTP requests are
matched like HTTP requests.
matched like HTTP requests.
N/A
IP-based
HTTPS and FTP over HTTP requests are
matched like HTTP requests.
matched like HTTP requests.
FTP over HTTP requests are matched
like HTTP requests.
HTTPS requests are matched like HTTP
requests only if a previous HTTP
request was authenticated, otherwise,
the request fails.
like HTTP requests.
HTTPS requests are matched like HTTP
requests only if a previous HTTP
request was authenticated, otherwise,
the request fails.
Cookie-based
Client is not prompted for
authentication.
Note: When credential encryption is
disabled, no surrogates are used and
HTTPS requests are matched like HTTP
requests
authentication.
Note: When credential encryption is
disabled, no surrogates are used and
HTTPS requests are matched like HTTP
requests
Client is not prompted for
authentication.
authentication.