Cisco Cisco Web Security Appliance S170 사용자 가이드
364
I R O N P O R T A S Y N C O S 6 . 3 F O R W E B U S E R G U I D E
To configure the appliance to use credential encryption, enable the Credential Encryption
setting in the global authentication settings. For more information, see “Configuring Global
Authentication Settings” on page 353. You can also use the
setting in the global authentication settings. For more information, see “Configuring Global
Authentication Settings” on page 353. You can also use the
advancedproxyconfig >
authentication
CLI command. For more information, see “Advanced Proxy Configuration”
Uploading Certificates and Keys to Use with Credential Encryption
When credential encryption is enabled, the appliance uses a digital certificate to securely
establish a connection with the client application. By default, the Web Security appliance
uses the “IronPort Appliance Demo Certificate” that comes installed. However, client
applications are not programmed to recognize this certificate, so you can upload a digital
certificate to the appliance that your applications recognize automatically.
establish a connection with the client application. By default, the Web Security appliance
uses the “IronPort Appliance Demo Certificate” that comes installed. However, client
applications are not programmed to recognize this certificate, so you can upload a digital
certificate to the appliance that your applications recognize automatically.
Use the Advanced section on the Network > Authentication page to upload the certificate and
key.
key.
For more information on obtaining a certificate and private key pair to upload, see “Obtaining
Certificates” on page 514.
Certificates” on page 514.
Note — Any certificate and key you upload on the Network > Authentication page is only
used for establishing secure connections with clients for credential encryption. The certificate
and key are not used for establishing secure HTTPS sessions when connecting to the Web
Security appliance web interface. For more information on uploading a certificate and key
pair for HTTPS connections to the web interface, see “Installing a Server Digital Certificate”
on page 514.
used for establishing secure connections with clients for credential encryption. The certificate
and key are not used for establishing secure HTTPS sessions when connecting to the Web
Security appliance web interface. For more information on uploading a certificate and key
pair for HTTPS connections to the web interface, see “Installing a Server Digital Certificate”
on page 514.
Accessing HTTPS and FTP Sites with Credential Encryption Enabled
Credential encryption works because the Web Proxy redirects clients to the Web Proxy itself
for authentication using an HTTPS connection. After successful authentication, the Web
Proxy redirects clients back to original web site. In order to continue to identify the user, the
Web Proxy must use a surrogate (either the IP address or a cookie).
for authentication using an HTTPS connection. After successful authentication, the Web
Proxy redirects clients back to original web site. In order to continue to identify the user, the
Web Proxy must use a surrogate (either the IP address or a cookie).
However, using a cookie to track users when the client accesses HTTPS sites or FTP servers
using FTP over HTTP does not work.
using FTP over HTTP does not work.
• HTTPS. The Web Proxy must resolve the user identity before assigning a Decryption
Policy (and therefore, decrypt the transaction), but it cannot obtain the cookie to identify
the user unless it decrypts the transaction.
the user unless it decrypts the transaction.
• FTP over HTTP. The dilemma with accessing FTP servers using FTP over HTTP is similar to
accessing HTTPS sites. The Web Proxy must resolve the user identity before assigning an
Access Policy, but it cannot set the cookie from the FTP transaction.
Access Policy, but it cannot set the cookie from the FTP transaction.
Because of this, you should configure the appliance to use IP addresses as the surrogate when
credential encryption is enabled.
credential encryption is enabled.
Note — Authentication does not work with HTTPS and FTP over HTTP requests when
credential encryption is enabled and configured to use cookies as the surrogate type.
Therefore, with this configuration setup, HTTPS and FTP over HTTP requests only match
credential encryption is enabled and configured to use cookies as the surrogate type.
Therefore, with this configuration setup, HTTPS and FTP over HTTP requests only match