Cisco Cisco Web Security Appliance S170 사용자 가이드

342

I R O N P O R T   A S Y N C O S   6 . 3   F O R   W E B   U S E R   G U I D E  

Table 16-6 lists advantages and disadvantages of using transparent Basic authentication and 
cookie-based credential caching. 

Explicit Forward Deployment, NTLM Authentication

The Web Proxy uses a third party challenge and response system to authenticate users on the 
network.

The authentication process comprises these steps:

1. Client sends a request to the Web Proxy to connect to a web page.

2. Web Proxy responds with a 407 HTTP response “Proxy Authentication Required.”

3. Clients repeats request and includes a “Proxy-Authorization” HTTP header with an NTLM 

“negotiate” message.

4. Web Proxy responds with a 407 HTTP response and an NTLM “challenge” message based 

on the negotiate message from the client.

5. Client repeats the request and includes a response to the challenge message.

Note — The client uses an algorithm based on its password to modify the challenge and 
sends the challenge response to the Web Proxy.

6. Web Proxy passes the authentication information to the Active Directory server. The 

Active Directory server then verifies that the client used the correct password based on 
whether or not it modified the challenge string appropriately.

7. If the challenge response passes, the Web Proxy returns the requested web page.

Note — Additional requests on the same TCP connection do not need to be authenticated 
again with the Active Directory server.

Table 16-6 Pros and Cons of Transparent Basic Authentication—Cookie Caching

Advantages

Disadvantages

• Works with all major browsers
• Authentication is associated with the user 

rather than the host or IP address

• Each new web domain requires the entire 

authentication process because cookies are 
domain specific

• Requires cookies to be enabled
• Does not work for HTTPS requests
• No single sign-on
• Password is sent as clear text (Base64)